Prevent any direct access to the internet, but force traffic through a proxy and IDS
All the connections from your internal network to the internet must go via a proxy (no direct connections).
Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections.