I was curious on how you could limit users surfing the Internet, I found KobrAs's guide useful :D
I setup a group called Internet and assigned users to it and apply this to my iptable
iptables -t filter -A OUTPUT -p tcp -dport 80 --match owner --gid-owner 501 -j DROP
This worked great, but I was wondering if you had your users logging in all over your network
using LDAP, How could you make these rules apply still?