Whitelisting only particular hosts on Windows 10

Question

There is a laptop which is to be secured and only certain websites should be accessible.

Reason is possible data theft by user or malware, from vpn-only-accessible websites which this laptop will be accessing daily.

Laptop is physically secured with lock and in a surveilled environment, USB ports are disabled.

For whitelisting particular sites, approach taken was to:

1. Set IP to DHCP but DNS is manually entered, given a bogus server IP, which is inaccessible. So DNS look-up doesn't work.
2. Add hosts records to c:\Windows\System32\drivers\etc\hosts . So DNS look-up for allowed websites works.
3. By checking Chrome console errors, add other required asset hosting domains to file above (i.e jquery of particular website is sourced from cloudflare CDN and such.)
4. User has limited privileges and can't make changes to above.

This method is cumbersome and I was wondering what other ways might be more suitable and easier to implement.

Hosts file sample:

X.X.X.X    allowed-website.com  
Y.Y.Y.Y    cdn.asset-domain.com 

Answer 1

You can enforce it via GPO. The steps are for GPO settings but you can use local GPO settings also.

Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security and then click on the “Security Zones and Content Ratings”

Modify Content ratings to "Import content ratings" > modify settings

1. In the approved sites tab give your whitelisted url.
2. In the General tab uncheck "User can see websites that have no rating"

Answer 2

I would put the restriction on the networking side. Program the nearest switch routers to only allow access to your approved sites. Then a rootkit or other malicious code that bypasses windows protections still won't have access to anything.

Idea #2

Setup your own DNS server which doesn't connect to the internet. Give it a hard coded list of acceptable websites.