Surfing the internet means port 80. Downloading files via internet is also going to be port 80. People can also download files via FTP which is port 20/21. So it depends, what method your users are using to download files; Web or FTP. If Web, then you cannot block it since you want them to browse, if FTP then block ports 20/21.
HTH
R/Yusuf