K-8 school here trying to block students using VPNs: could be apps or websites, on either Chromebooks or phones. Our content filter, iBoss, is not good in this area, only offering to block five ports. I want to block lots more, hoping to catch not all but the majority of ports commonly used by VPNs. I think ZD can do this in configure>access control. But which section? L2? L3/4? "Application Denial Policy"? See two attached screenshots.