This is not really a function of RadiusNT or Emerald really. It is achieved
with a combination of NAS, proxy and router. We achieve a limited forcing
of proxy use by disallowing all requests on port 80 from going out through
the router if they came from a specific range of IP addresses. These users,
our dial-up customers, must go through the proxy on port 8080 to be able to
access the web, ftp or gopher through their web browser. Our staff
machines, on a different IP range, can use either direct web or proxy.
Since every ftp client I have seen does not have the facility for going
through a proxy, ports 20 and 21 must remain open or you will alienate users
of CuteFTP or such ftp software.
As for telnet, I'm not sure, but I believe it's the same situation as
dedicated ftp software.