 
            On Fri, Nov 27, 2009 at 01:52:31PM -0800, nate wrote:
As others have mentioned using a proxy would work..
Proxy would be the best as it offers a lot of additional features such as logging ability to see how much time people are wasting at work. Squid setup as a transparent proxy negates having to do any client-side setup and can not be easily bypassed by clueful end-users.
Other ways would be using iptables to block access to those domain's name servers so the names do not resolve at all(they could still access via IP..)
Not as easy as one would think; most sites in this day and age are still going to require proper Host: headers be sent I would think.
Blocking by server ip addresses or even authoratative DNS servers for the domains you wish blocked are not ideal as you have *no* control over these resources. web server or geoip redirectors / load balancers may change public ip spaces and DNS servers are subject to similar.
Also hosting the domains on your internal name server and pointing them to some internal address so that they can't be resolved as well could work.
I've done this in the past with great success; point them to a "You've Been Busted Going To This Website" type page; access logs can be processed to see who is trying to waste company time with this solution also. The only real problem with this is ensuring that /etc/hosts or \Windows\system32\drivers\etc\hosts (and whatever Macs use) resolution is properly locked down so that clueful users can not resolve locally thus bypassing your DNS server.
Often times client side antivirus/spyware programs can be configured to block things on the client side as well.
While this indeed can be done, and I've seen it used to good effect it just adds to workloads if you ever change to another AV solution down the road; the local DNS server is set and forget.
John