IMO, OS X Server won't be a good solution as a network filter. It might be useful here, but it very likely won't be your most appropriate choice as a network-gateway-router system.
FWIW, I'd suggest pursuing this in a Fedora-focused networking forum, in general. This given that's your most common platform.
Assuming wired networks, you can divide up the access via managed switches and a VLAN, or via physical network segmentation. WiFi is somewhat harder to segment, short of having a guest network and a private network; you'd need access points (APs) with two networks configured, one of which allows a little more access, and the other that's presumably restricted to the local IP address space.
There are gateway routers around which allow several different segments to be maintained, but they're generally starting in the ~US$250 range and upwards, and usually expect a little more knowledge of IP networking and related topics than the residential routers that are in common use.
As for the updates, OS X Server can cache those, as can the Reposado tool on a Fedora system.
A common solution involves a web proxy filter, where all connections must pass through that device. The connections used for the OS X Server or Reposado server itself to download updates would need to be programmed to allow access, but the other local OS X clients could be aimed at the local server. In your case, your filter can block all outbound connections to TCP 80 and TCP 443 entirely, save for the specified servers loading updates from their respective upstream sources.
Email is fairly easy, as you'll probably want to block outbound TCP 25, but allow POP via SSL and IMAP via SSL and allow the submission ports (TCP 486 and TCP 587).
Now for the somewhat bad news: these general approaches can often be bypassed using VPNs and tunnels, so somebody that's knowledgeable can generally get around simple-minded network filters. Which means you can end up blocking more than a little outbound traffic; more than TCP 80 and TCP 443.
Now for somewhat more bad news: Skype uses TCP 80 and TCP 443 (or requires a whole lot of open ports), and specifically to work around filters and blocks and firewalls and related "defenses". Whether you can get that to work by excepting the supernodes, I don't know.
I'd probably sort out what you do and do not want to allow access to as a more general problem, as getting an update server into a DMZ with exceptions enabled is a comparatively small problem — once you achieve the sorts of network blockages you're seeking. None of this stuff is particularly specific to OS X or OS X Server, either.
This configuration will probably involve installing a network gateway with internal filtering capabilities and a network nanny implementation, as well as some work on the internal network configuration. That may well be possible with Fedora, DD-WRT, Tomato or some other similar open source (it's likely best to ask for discussions and tradeoffs of those options elsewhere), and can be implemented with a commercial offering. Your needs here are probably even a little simpler in some ways, as you want and need just a few web connections.