When using Don’t Talk To Strangers (DTTS), outbound access is granted only to devices making authorize DNS queries. If computers or endpoints are set to use your Windows Server as DNS, then DTTS opens outbound access to the Windows Server, not the endpoint.
Windows Server Essentials (and Small Business Server) client setup process will override any network interface card settings you have previously set and force it to the Server. To correct this behaviour, we reference this Microsoft article:
https://support.microsoft.com/en-us/help/2862551/update-rollup-3-for-windows-server-2012-essentials
What you want to add to each workstation, so you can change the DNS server to your gateway (vs the server), run the following command on the client computer from an elevated command prompt:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Server\Networking\ServerDiscovery" /v SkipAutoDNSServerDetection /t REG_SZ /d true
Secondly, create a forwarding rule that forwards your local domain DNS queries to your server, for example:
internal.example.com
forward queries to 10.0.0.2 (or whatever the IP address of your Windows server is).
Finally, turn on the newly-created rule for each of your Policies.