Is it possible to disable WAN access but leave LAN access up??

I'm ignoring the various legal and financial and employment and proper use of company resources discussions that obviously lurk here; these sorts of discussions and situations can end in very messy and expensive situations if not handled appropriately.

As for logging and monitoring web traffic, the usual approach is via a [web proxy server|http://discussions.apple.com/thread.jspa?threadID=1946037].

There are other ways to mess up IP routing, involving various degrees of difficulty. Whether this is using parental filters on a firewall or on a client, or using local DNS blocks, or otherwise, depends on how your network is organized and managed.

But at its core, this is not a problem with a reliable technical solution.

The easiest way to block WAN access is to remove the router address in Network preferences. This will allow the system to talk to LAN systems but it won't know how to get past the LAN and out into the big bad internet.

As mentioned, though, this is a slippery slope, with many caveats. Technically savvy users, for example, won't find it hard to circumvent most filters and if you get too paranoid about it you'll find you're wasting your own time implementing blocks as well as the employees' time, which isn't going to be productive for the company, either.

At the end of the day, a word in people's ear (or even a company-wide policy announcement) asking staff to be conscious of their online activities while at work can be far more effective.