You could use mouser's Browser Tray Switch
and set a browser that doesn't have permission in your firewall (or a dummy executable) as your default browser. That way, anything that wants to automatically open a page without your permission, would fail in doing so.
(see mouser's last paragraph on the program's page)
Another alternative, without using additional software, could be blocking sh.com in your HOSTS file. This would only make that
domain name fail, though, and would offer no protection against any other app that decides to act with similar behavior.