Had a virus on an old Windows XP Pro (SP3) workstation we were given to dispose of that had been powered down for over a year. We were able to clean it up (Malware Bytes, SpyBot, Symantec, etc.), or so we thought.
Sniffing traffic on a hub doesn't reveal anything so it appears that the virus is indeed dormant and/or removed, nor is the workstation experiencing any other symptoms except that you cannot browse to *.microsoft.com, symantec.com, etc. from within Internet Explorer still.
Outside of the usual suspects -- proxy settings change in IE, hosts files, etc. -- where else could you restrict access with Internet Explorer? There doesn't appear to be any add-ons loaded, nor can we see any rogue processes running.
NOTE: we're not looking for another tool to run (i.e. combofix), but technical details on how/where these restrictions are implemented. i.e. hooks into the TCP/IP stack, registry keys, etc.
If you want a central configuration point, you could also use your internal DNS server to mis-resolve domains. This works just like the hosts file, but it's centralized.