I used to do it using watchguard firewall with web blocker, but now i set up an MPLS network at the new office and everything is done by the ISP. I have a block of IP's that are unblocked assigned to the office top tier and the rest is only opened for normal use (email, google, etc) If a particular website is blocked and an employee needs access then they have to submit a request, get it approved by Office Manager then fwd to ISP to whitelist.
We open the firewall for all during lunch hours, it is pretty silly to see all these companies treating their employees as slaves instead of realizing that the money they get in is because of them. We have pool tables, HD tv, happy hour, etc at our office. Keep them happy, they will work better hence they will get more money in...
Keep Up with TechRepublic