Prevent any direct access to the internet, but force traffic through a proxy and IDS

All the connections from your internal network to the internet must go via a proxy (no direct connections).

Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections.