put it in an aws vpc on a private subnet. create another subnet with a nat instance. Only allow access to the vpc over ssh or whatever from the secure control server. Lock all other incomming via security groups or network ACLs. Allow egress from this box only to route on ports 80 && 443 out through a route table to the NAT instance to the internet. Further you can allow the nat to only allow access to 80/443 outbound to whitelisted ip addresses, or if you want to get craftier, make the nat a squid box and whitelist / net nanny what it can hit possibly via an admin watching twitch plays stream and saying yea/nea