Hi there, I'm rather new to eBox so I don't know much about it, but for ultrasurf, if I were on a windows domain, I would block ultrasurf application using software restriction policies with application hash rule. I don't know if same can be cooked up with eBox domain.
Other way is to block SSL (Port 443) it may be easier to deny all https sites (using squid) and set up a https Allowed list. The number of https sites users are likely to want to access would be very minimal and your HTTPS Allowed list would not be too difficult to maintain.