I would suggest in addition to your blacklist that you enable QoS and use it less for traffic shaping and more to limit the maximum bandwidth available. 40 Gigabytes per month equates to about 125 kilobits per second of constant use for the whole month (beware that this is both ways, so you might want to consider that more 100 kb/s down and 25 kb/s up, and also this is before any protocol overhead on the satellite side (not sure if your provider counts that or not). Just using these numbers you could use QoS to put absolute max limits on all traffic and ensure you’d stay under your cap, although 1 guy with bittorrent could still make everyone else miserably slow…
I would also suggest blocking all outgoing traffic except for port 80 (HTTP) and port 443 (HTTPS). Granted some things like encrypted Bittorrent can be very hard to throttle as it uses HTTPS, but its still worth a shot.
As for your blacklist, google should help. A quick search for Windows Update gave me this list:
(taken from http://support.microsoft.com/kb/818018)
Also, you might want to see if your satellite provider has an “unmetered” period in the late night / early morning timeslot.
A big difference between being a net censor and a fair admin is good communication – I suggest placing a message on your captive portal letting people know that you’re trying to conserve bandwidth and to please don’t stream videos and such. That might be more effective than you’d think.