Traditionally, this would be handled by your firewall. Only allow outbound traffic on known ports.
If you are using Microsoft Active Directory, you could also take away local admin rights through GPO and stop people from installing alternative browsers or modifying the systems proxy ports. But the more your lock a machine, the more likely you are to prevent people from doing their work, and could make a lot of more work for you to install apps for employees.
If you are asking how to block users from downloading a proxy-modifying plugin from being downloaded through the gateway, that may be difficult. You could block all the sites that index and host plugins. It should take care the bulk of your employees, but a clever person could download the plugin at home and bring it in on a USB key, or put it on their personal website. So you would still need to rely on the firewall to prevent the direct access.
THnx Man, It's Now clear