Best way to block websites with terminal services

Here’s my situation:

I need to block users from accessing websites like facebook/myspace. They’re all logging into a terminal services machine through a thinclient (2x).

I need to allow people that don’t log into the terminal services server to access those websites.

Everyone’s using the same DNS servers.

What’s the best way to block the sites?
Editing the HOSTS file on the terminal server machine?
Setting up a proxy?
Adding a stub zone to the DNS?
Using a group policy/IPSEC?

Keep in mind the IT budget is really small so purchasing something should only be a last resort.