In my previous company, we use BlueCoat for web filtering.
one way would be to enforce app-vpn for the browser and route the traffic trough the company filters.
for used filters, to many solutions out there, one thing would be if your firewall vendor has an option to enable this in your (most likley) already existing device.
as for bluecoat, we blacklisted them. ( https://www.forbes.com/sites/thomasbrewster/2015/03/30/when-censorship-backfires-how-blue-coat-silenced-a-security-researcher/ )
Come to think of it, I did remember modifying the proxy of the Safari browser so that all traffic by default goes through our web filtering solution. If the domain is the same (i.e. internal), then traffic is allowed to go through by default. Otherwise, it's based on rules whether traffic is allowed to go through or not.