I'm trying to configure a machine in order to be able to do the followings:

1) Chrome (and all other User1 related programs in general, at least at the moment) is NOT allowed to access internet but only local network (used by User1)
2) Firefox (and only firefox, maybe additiona programs in the future) is allowed to access the internet (direct access) and is NOT allowed to access the local network (used by the same User1)
3) Ubuntu system and software updates are done through internet with redirection
4) Once User1 has logged in (with User1 password), he must be not asked again for any further password
5) User1 isn't root/admin and doesn't even know root/admin password

Any idea?
I've built a possible structure in iptables to achieve this using groups (e.g. Chrome > Group1 & Firefox > Group2), but how do I run both programs without being asked for a password (but at the same time keeping the system safe, meaning everything protected by password)?

Moreover, which are all groups responsible for system and software updates in Ubuntu?