Your question expects at "2 parts" answer:
- you can prevent user to access internet by blocking HTTP, HTTPS, FTP etc protocols at firewall level for internal network(s), this is done adding new rule with these protocols and "deny" behavior.
- you should be informed that transparent proxy is not compatible with "authentication and filtering" at proxy level. I guess reason is that filtering being dependent on profiling behavior and because there is no "default profil" that could be applied to any "non authenticated" access, they decided to disable such feature.
But is "transparent proxy" really mandatory for you?
If you remove transparent proxy and set firewall rules as described above, then users changing their browser settings will not have access anymore to internet, thus they will revert back to "std" config and you will reach your goal (or at least what I guess is your goal).
Does it clarify the matter?