VLAN employees and block 3389 from that VLAN at the firewall. If that doesn’t work, install an inline filtering solution that can detect embedded HTTP traffic to prevent your solution. I deal with that shit all the time in schools. Kids were using firefox portable so IE lockdown policies couldn’t prevent them from using manual proxies, so I created a GPO to prevent EXE, VBS, MSI, etc files from running on flash drives. No more Firefox Portable.