Block all outbound traffic except whitelisted domain and subdomain

Windows standards, even nowadays with the latest Win10, Windows will automatically use available wpad.yourdomain.com and proxy.yourdomain.com - without any configuring!

So you can use that to “bend” the rules (proxy.pac) as needed!

My 2 cents
Andy