The easiest way to do it (IMHO) is to block direct web access. Then your proxy is needed to get out to the web, so Firefox et al now fail from the get-go. Then your banning trick works... except if the user sets FF to use the proxy.

Ideally you need a web filtering proxy which allows user bans, or to implement the router-side solution that teejay suggests.

What router/filter combination are you using presently?