In Active Directory on your domain server, create a new Organizational Unit (OU) called 'Restricted Users' or something like that.
Now right-click on your new OU, and select 'Properties.' Click on the 'Group Policy' tab. Create a new group policy called "No Internet" or something.
Edit the settings for this policy (make sure they meet or exceed the security level of the other existing group policies in your domain).
Under 'User Configuration' > 'Internet Explorer Maintenance' > 'Connection', set the Proxy Settings to some non-existent IP address and port.
Now, you can move certain users over to the new restricted OU by right-clicking on the user and choosing 'Move...' Any user belonging to this OU will have these proxy settings loaded by default when they log in and will not be able to use standard windows methods to connect to the internet (IE, Outlook Express, etc.)
Of course, there are workarounds for this. It's not hack-proof, but it may be better than nothing in your organization. For instance, if the workstation that the restricted user logs on to has Firefox or some other browser/email client installed, they will be able to access the internet. So you must restrict those users from being able to install software and/or run existing non-Microsoft internal applications.