is there a way to block internet access while the users are connecting to my company?
my security policy is not use NC at all, i'm using WSAM and web bookmarks.
could it be using HC policy?
If you configure WSAM to tunnel traffic from the browser application you can then use resource policies to control what they access. Of course if they use a different browser they could still get to the Internet without passing through the VPN box. Alternatively you could configure it with an allowed server * and ports 80, 443 which would force all http, https traffic down the tunnel but this might break other things.