A few of the users at our firm are sometimes required to do investigative work that takes them to web sites of ill repute. Currently our Palo Alto firewall is doing an excellent job of blocking these websites and their potentially dangerous content. However, we'd like to find a way to access such sites without exposing our internal network. I'm looking for suggestions as to what would be the most efficient way to accomplish this for users on Windows 7 workstations that are working from our internal network. Would it require the use of a DMZ or is their perhaps another way?
A little bit about our environment: 4 ESXi Hosts, Virtual Servers and Physical Servers (All running version of Windows Server from 2003 to 2012), Windows 7 Workstations, HP Procurve Switches, everything behind a Palo Alto PA-500 firewall.
Thanks in advance for any suggestions!