You will need the server to have 2 network connections. The first will connect to the internet through hopefully a hardware firewall before the modem such as a router which has a built in firewall. The second network connection will connect to your internal network that all systems are on.
Next comes the more complicated part. In Server 2012 you will need to set up DHCP for dynamic IP addresses to be issued or chose to go with static IP addresses at each workstation. Next you will need to set up a gateway connection for all systems to get their internet access through this server acting as a gateway. Next you will need to set up likely a proxy service to have your content contol in which you can blacklist certain sites or go super content control with all but only specific sites white listed.
As far as removing network access to a workstation, you would have to terminate its lease early in DHCP and then have its mac address flagged to not be granted an IP or if you still want it on the LAN, but no internet then issued an IP and subnet, but no gateway IP.
At the workstation if you have any employees who know there way around and have access to the network properties at a system, if they are locked out and look at the info at another computer, they could hack a connection outbound by going static config and choosing an IP address that is say 192.168.100. 239 on a network that is 192.168.100.x and avoid an ip conflict with 40-50 devices all in the say 192.168.100.10 to 192.168.100.60 range. But if they are locked out of making changes to IP then you dont have to worrk about anyone setting up a manual config to server and getting outbound.
The best content control would be a gateway config that has a blocker by mac address so that even if someone hacked with a static config to try to gain outbound access, it still would flag it as unapproved and not work.
For content control in the past I have configured and used a SonicWall vs proxy config at a server acting as a gateway for commercial controls.
http://www.sonicguard.com/ContentFilteringService.asp?gclid=CI_tqJ3O0MYCFQYQaQodvPYPxQFor personal content controls etc, I have used either built in content control in the work stations browsers for small work groups or if necessary set up a proxy using SQUID for all systems to connect to, although I havent used SQUID in a while and the biggest need for SQUID was years ago with small businesses on shared dial up or satellite connections with limited bandwidth and creating a Cache of the frequently visited websites so that some traffic was able to be resolved locally vs each request having to download all the pictures, audio, video files, in which the proxy would check the contents in the local Cache against the website and if the content was local it would pass back to the workstation a local result or only have to download the dynamic info that is changing frequently, yet ads with pictures that dont change often are loced locally from cache of the proxy. But ever since broadband expanded, the need for such a proxy disappeared for this benefit of local cached data.
http://www.squid-cache.org/