Put in an inbound ACL on the inside interface
access-list 101 permit ip "workstations all destination internal networks"
access-list 101 deny ip "workstation1 destination any
etc...
then
access-list 101 permit ip any any log
apply it inbound and that should work if I understand your question.
