Does your gateway / Firewall allow internet traffic from any IP or only through the PROXY Server? If its open for all the IP’s than users can bypass the proxy server and freely browse the internet. The best way to restrict the users is by restricting them to change any TCP / IP & Browser settings. Since you are using an AD this can easily be achieved through a Group Policy.
I addition to the above you can control which IP’s and protocols have connectivity to the internet via the ASA. Maybe set it up so that only you proxy has access to browse the Internet.