Yes there are Group Policy entries that will prohibit specified applications from running. You can disable IEXPLORE for specific logon groups. However if they can login to the local machine ‘Group Policy’ won’t work.
If you disable IE and they install another browser they still have ‘Internet’ access.
A better solution is gateway/firewall rules. Put the restricted employees on one subnet and block ports 80 and 443. The other employess still have access and the restricted employees can only get internal web pages.