Best way to Protect against Dropped VPN on public network?

Hi all,

I’d like to define a policy on the firewall that I can switch to when on an untrusted network that will only allow the web browser, dns and vpn though the firewall.

This is because I prefer to use a VPN when on a public-wi-fi and I’d rather not have apps suddenly talking to the internet directly if the VPN should drop (just in case one of sends an IM login or something in plaintext)