It is possible to block using a 3 layer approach..
Going back to
jlightner's comments at the beginning of this thread, it is much easier to have a blanket block and then specifically allow services out..
This means adding proxies for different protocols, pop, imap, smtp, ftp, http, ntp, dns, (maybe socks) etc to allow services out.
Blocking just the high ports leaves access through ports 80 & 443.
Forcing all traffic through an http proxy and/or http filter will stop skype's non-http type encrypted connection on those ports.
From the analysis of the skype protocol at
http://www.eecs.harvard.edu/~mema/co...nfocom2006.pdf the central point of blocking comes from denying access to the login server.
Once a client has logged in however, you need some stronger defenses.
Having said all that, most companies I have added blocks to have asked for them to be removed as skype is such a valuable tool for calling, that now we are doing bandwidth control instead on port 443.
To avoid mistaking http traffic with skype traffic, don't force 443 to the proxy & make sure users have an https proxy set in their browser settings.
You can also add another layer of control by only allowing an outgoing NAT to some permitted services, preventing clients from accessing the internet directly.