I'm looking for a solution that will allow the teacher in the computer
classroom to "flip a switch" to enable/disable student access to the
Internet on the fly. The solution needs to be able to happen virtually
instantly - that is, it can't require a restart of the student machine. The
teacher wants to prevent kids from surfing while instructing on something,
but then "flip the switch" to let kids immediately be able to get to the
Internet to do whatever they were just instructed in doing.

So far I am stumped, and I'm looking for some ideas (BM or otherwise).
Brief network details: BM server is single-point of access to the Internet
for the whole building. Access is 100% restricted to using BM proxy server
(ie, if correct proxy not set in IE, you can't get to the Internet).

Things I've considered:
We have a program (NetOp school) that allows the teacher to execute commands
on all the student machines. Using this we created a registry key to change
the IE proxy setting on all the student computers. That solution works
perfectly unless a student had already loaded IE - changing the registry key
doesn't change the active value in the currently-running instance of IE. If
there was a way to force the change to already-running IE, or if someone
knew of a way of forcing IE to close with an comman-line (to then be
followed by the registry key setting), that might work.

We can readily create an NDS group and an Access Rule that denies all
Internet access. We can even create a fairly simply LDAP web-page that
would allow the teacher to add the students in the class to that group. But
since the teacher doesn't (and shouldn't/can't/won't) have access to NWAdmin
to refresh the BM server ACLs, there is no way to make the change register

The classroom is online via a Cisco switch in that room, but we can't just
pull the plug b/c we want students to be able to remain on the network (home
directories, etc). Since we don't VLAN the room, I can't come up with a
simple way of changing a configuration (physically or via software) to limit
access through the switch, or to deny access to the Internet through BM from
any connection coming in through that switch.

I know there is 3rd party software out there that can accomplish this, but
I'd really rather not if there is an in-house way of doing this.

Does anyone have an idea on where to look or how to proceed?

Many thanks!