IT Employment

.
You can run a proxy server, or what I would suggest is something like superscout. It will generate reports on usage, sites visited etc, and can block by site types etc.

There are workstation options, but it makes more sence to do it from a server.

user account config to remove access to the external gateway for internet access.
( requires the server be configured to allow access on a user level for each device / service, rather than the most common of domain level controls )

netware is good for the user level controls.
*x is good for user level controls.

If you're talking about restricting particular users then you'll need to ensure that user need to log in before accessing the web. As mentioned above,a proxy such as squid will allow you to do this. If you're trying to block a particular host then things are a little simpler. If the user is not PC savvy I sometimes set the browser proxy to the loopback address. Other times I block outgoing ports for particular hosts at the firewall.

Firewalls can allow and deny what ever you want.

Just put in a deny from his pc's IP to the destination. (unless you use DHCP, one of MANY reasons we do NOT use DHCP for our PC's)

Could also go to that pc and add that domain to the denyed or put in the hosts file that domain name with the address for an internal website with a note that the page attempted to access is denied due to company policy and the attempt has been logged.

I recommend using another Microsoft product called Internet Security and Acceleration (ISA). ISA will allow several simultaneous configurations including:
1. restriction by user name
2. restriction by group
3. restriction to specific sites
4. Restriction by time
and any other combination of the above.
Here is an example of a configuration I currently use to explain the flexability:
I have a group of users that have 24/7 unlimited access (admins, directors, etc). I have set up time restrictions for other users to allow everyone unlimited access between the hours of 7-8am, 12-1pm, and 5-6pm. Every user has limited internet access to certain sites such as windowsupdate, antivirus update, corporate web site. ISA is not only the 'proxy' server but it is an integrated firewall that plays nice with Active Directory, OWA, and POP servers.
I hope this helps.

Erik 'mcseman' Pryor