I've done this previously, but it's not pretty. Here's what I would do:
1) Setup an Outbound ACL
access-list Outbound-ACL permit ip host (workstation 1) host (Symantec1)
access-list Outbound-ACL permit ip host (workstation 1) host (Symantec2)
access-list Outbound-ACL permit ip host (workstation 1) host (Outside WebServer)
access-list Outbound-ACL deny ip host (workstation 1) any
*** Mirror this for Workstation 2, etc)
access-list Outbound-ACL permit ip any any
2) Apply the ACL to your inside interface
access-group Outbound-ACL in inter inside
It can be a hassle, but it works. I've also done blacklisting (not sure if this fits your environment) and the reference document is here.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
Hope this helps, rate if it does,
JB