One way to limit the hosts that can access the Internet is to statically assign addresses to the permitted hosts in a permitted NAT range, and set up DHCP for everyone else outside of the permitted NAT range.
I've also had issues with Internet access to some sites due to the default behavior of the DNS check. It kills all DNS packets longer than 512 bytes (and some DNS clients use larger request packets).
Try resetting the DNS inspect maximum-length to 1500 bytes. It worked for me...