Windows Server does not implement a way to do exactly that but there are ways to do it, even if their not the best approach for internet access control, specific tools for that may still be very helpful to control internet traffic at your company. But I will show you a way to control who can access internet (or any service in fact), this is how we control internet access at my company.
The structure: 1 DHCP server and 1 RRAS server (both Windows Server 2008 R2).
We’ve divided our IP ranges as follows:
From 172.16.10.1 to 172.16.10.30 is reserved for manual defined IP addresses (yes, we do need that) 172.16.10.1 being the default gateway
From 172.16.10.32 to 172.16.10.254 is the range that our DHCP server handles, but there is a catch here, the IPs ranging from 172.16.10.129 to 172.16.10.254 are marked as exclusion range from DHCP leases, those are used for IP reservations. Notice that those address belong to 172.16.10.128/25.
The RRAS box, is a Windows 2008 Server with the Routing and Remote Access Role with a tweak to the IP routing table. Instead of beeing visible to the whole network (172.16.10.0/24) is only visible to a subnet of that network (172.16.10.128/25) which just happens to be the range for reservations on the DHCP.
So the process for allowing internet access to a client is just reserve an IP address for it’s MAC address on the DHCP server and renew the IP lease.
And that’s it, some users have internet some don’t, but the rest of the network services are available for everyone.