If your users have admin rights to install items to their workstations, there's nothing you can do to stop one with some skill from bypassing your websense.

The key here is to remove admin rights from the WS so that they canouldn't install tor, or any other vpn/proxy/tunneling solution in the 1st place.

So, think about how you are blocking access to the Internet. For example, if you are requiring that your browsers simply configure their configuration to point to a proxy, are you still allowing traffic out through your Internet connection from other systems other than the proxy?

To clarify, what I am suggesting is that if you are forcing your users to use a proxy, then at the perimeter firewall, you should block ALL outbound traffic except from your proxy servers. This will force all clients to use the proxy servers to get outbound access.

Then, at the proxy server, you can impose the restrictions required for your users.