Of course the relative ease of doing this will depend largely on if every user has their own system, rather than a couple of people all sharing one.
If each person has their own computer, you can just block that IP at the firewall. Simple, elegant, effective. If they share a system, you'll have to tie it into ActiveDirectory, assuming you're using it. There are some other methods, but they get even more complicated and/or aren't as reliable.
I suppose if your employees aren't terribly bright about using computers, you could try just removing obvious links to programs like Internet Explorer (which is a good idea in general, given the security implications involved with using IE) and hope that they don't figure out any Explorer window can become a web browser.
Personally, I'd just let it be known that you'll be checking the logs regarding Internet access, and that there will be stiff penalties for anyone found to be using the Internet who shouldn't be. Like maybe a warning, and then being fired. You should be checking the access logs pretty regularly anyway as the system admin, so this is the path of least work on your part.
Is it possible to restrict certain user account from accessing to the Internet? If possible, how? Most of the computers connected to my Windows 2003 SMB Server are running on XP Professional. Thank you.
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic