Have a look at your Web ACL list. By defualt there is a policy which allows *:* for web browsing. You may want to disable this. Dont know if this will fix it or not but can give it a go.
If you configure WSAM to tunnel traffic from the browser application you can then use resource policies to control what they access. Of course if they use a different browser they could still get to the Internet without passing through the VPN box. Alternatively you could configure it with an allowed server * and ports 80, 443 which would force all http, https traffic down the tunnel but this might break other things.
1. Under Roles > SAM > Add Server > Enter *:80,443 or *:* if you want all traffic to be terminated on the SSL VPN gateway (this will make sure all traffic from that PC will go through WSAM client > SA device) 2. Under Resource Polices > SAM > Access Control define the allowed destinations.
Note: This method requires you to explicitly allow access to each resource/network /subnet using step # 2 above which may be a pain if your resources are spread across different subnets and in addition if someone tries to access a blocked resource there will be no explicit error message that WSAM can present.
