First: you need to use a way to block the ultrasurf file executable to reach the system.
Download links for ultrasurf, USB/CD access or other removable media disabled by default
add a program to watch for ultrasurf signature when a program is started (also add it to “disallowed programs” from windows)
Second: block at firewall level everything and then allow only what you want
Third: use a per user authentication on the PC/proxy so you will know who is using what.
Log the usage on each station (log the actions not the content, otherwise it will be illegal 
)
Put a very big warning and disclaimer at login with “This station is monitored, any and all actions are logged bla bla bla…” And at the end put the relevant phrase.
“Any deviation from the mentioned rules will be sanctioned (you name what will happen)”
I hope this will help a little 
BR.
Bogdan