Set their MACs to address . Then, use firewall rules to restrict outgoing communication:
Add user1 and user2 MAC’s as address objects and combine in an object group named “Internet Restricted Computers.”
Add *.site1.com and *.site2.com domain names as objects, combine in an object group named “Whitelisted Websites.”
Add deny all for user group from LAN > WAN and then add allow whitelisted site group for user group LAN > WAN (whitelist rule higher priority than deny all).