We have a number of ruggedized tablets used by workers in the field. They are basically Windows 8 machines, with no keyboard, and a tough case.
Each tablet has a SIM card and makes a 4G connection via a local Telco. We have a Cisco AnyConnect VPN set up, which creates a tunnel over the 4G connection, into our head office. It is terminated on a Cisco ASA-5508x firewall, running FDM 188.8.131.52.
Users on the tablet primarily run in-house software, but occasionally need to fire up a web browser. The VPN is configured to route ALL outbound traffic over the VPN to head office, internet access is filtered for "non-business" sites, and malware via the ASA-5508x.
This is mostly working, with one small issue. If users disconnect the VPN, they are free to browse the 'net wherever they like. Under this situation, we do not want web browsing to work at all; we want tablet users to only be able to access the 'net via the VPN and ASA-5508x.
The machines are all domain members, the DC is running server 2008R2.
Any ideas on how to somehow "break" web browsing directly across the 4G connection?