The nuke-it-from-orbit approach works for me but ymmv: a default-deny firewall for the Windows IP on the default gateway with external squid proxy for Firefox. netstat -on | grep $PID to add rules to allow access per process for things that just have to get through.