I'm not sure if this is going to be possible transparently.
All I can say for certain is that I've checked the written notes I made from the product launch and I have written "McAfee Logon Collector currently not supported for Citrix/TS envrionemts".
I was able to block internet access by creating a policy in my citrix server container and then using the security settings to assoicate with the user group I wanted to block from the internet.
The setting I used was User Configuration > Administrative Templates > System and the value "Don't run specified windows application" and added iexplore.exe.
There are other ways of blocking access. I saw notes where people were overriding the proxy settings to something that didn't go anywhere.
I ended up finding a solution to my problem, restricting the browser was not an option as they still needed access to internal sites.
I ended up not using the login collecter but using the firewall with Windows Authentication and made the access transparent to the user. I then ended up using the smartfilter management client enabled active directory and implemented a default block policy for all users and a policy for users based on groups. The key was not to use a passport on the firewall.
Not the simplest but solved my issue, I plan to document the setup over the coming days and post here for others in the same situation