lol! sorry its friday morning
In which case its difficult to classify traffic as its basically all exactly the same, the only difference is its ultimate destination, for example the corporate web portal, or google/porn/etc?
The best way would be to define a queueing policy where you specify the destination address(es) of the corporate web portal, and reserve a specific amount of bandwidth for traffic traveling to it from any source address on the LAN,
For example, on a Cisco box the config would look something like:
set access-lists to match traffic going to the corporate web portal, (1.1.1.1 is the web portal in my example)
Outbound
access-list 109 permit ip 172.16.0.0 0.0.255.255 host 1.1.1.1
class-map match-all outboundportal
match access-group 109
!
policy-map outbound
class outboundportal
bandwidth percent 30
!
Interface serial 0
description Wan interface
ip address 1.2.3.4 255.255.255.252
service-policy output outbound
This basically allocates 30% of the link bandwidth to traffic travelling towards the portal based on the speed of the WAN interface.
You can't queue traffic coming inbound to the router from the webportal (only police) you can queue outbound toward the LAN but it won't help because the WAN interface will become congested before the LAN qos policy can drop the packets, to have inbound queueing the upstream router (ISP) would need to queue outbound towards you, or you'd need to use hard policing..
This would be the main issue, I assume that most of the congestion would be caused by people downloading normal webpages/stuff from the internet and not upstream bandwidth.
If the ISP cannot do any form of Qos for your connection back, you could make an opposite qos policy and change the bandwidth of the LAN interface to fool the qos into thinking that its the same speed as the WAN interface, this would allow qos to drop normal web packets outbound towards the LAN, this would cause TCP to throttle back and control the rate somewhat..
Trial and error most likley!
