I need to make sure that people don't just change the DNS on their machines and then get infected or go to sites I don't want them to go on.... does changing the DNS in windows bypass content filtering and malware protection (AMP) on the MX for the particular client?
if you change the DNS server your client still request the same content/URL.
for amp, i dont think this works based on dns but more like comparing a file hash to a known database
I haven't tested AMP but on our public wifi we use custom DNS so they don't use our internal DNS and they still get content filtered.
DNS shouldn't matter for content filter and AMP, but if you don't want users to use any DNS besides the ones you choose just block all outbound port 53 traffic except the ones you want.
I think you are mostly referring to content filtering, rather than AMP. And no it wont matter what DNS servers they are using.