You could still have legally binding network usage policies.. anyone running a disallowed service gets removed from the network. Might not be a viable solution tough.
If you blocked common VPN ports, that would also defeat legit VPN usage and wouldn't stop things like HotSpotShield since I think they can do everything over port 443 which is the SSL port.
The only way I can think of would be to have a block list on the outgoing routers to prevent connections to known Tor and VPN sites.
You could use OpenDNS
http://www.opendns.com/solutions/overview/ https://www.opendns.com/solutions/business/filtering/, they have blocking and have anonymizers/proxies as one of their options I've read.
However this wouldn't stop someone that changed their own computer's DNS to something else.
No matter what you do, if you allow a connection to the Internet people will be able to use that connection to get around any filters you put in place, period.