You need a proxy (which can be built into normal firewalls, or can be special devices, or can be "application aware" firewalls).
Something like squid is very, very common. You can configure it as a transparent firewall if it's on your gateway (in a firewall such as, say, pfsense). Another common one in the Windows world is ISA/TMG.
These solutions all work by actually inspecting the traffic as it flows through the device. Simply blocking IP addresses isn't a particularly good solutions, because a sites IP address may change, or there can be literally thousands of sites sitting on the one IP address. By inspecting the traffic, you can block by:
- Domain Name (e.g. block facebook.com)
- Request String (e.g. block anything with ?myrequest=asdf in the URL)
- Content Returned (e.g. block anything with the word "chicken" on the page)
- Content Headers (mime types, e.g. block RAR/ZIP)
- Content Length (e.g. block downloads > 5mb in size)
- Virus content (i.e. you can actually do virus scanning on the fly as the file is downloaded, blocking it at the edge of the network, not on the local machine)
etc etc. Most devices will even compile a nice report for you to give you a breakdown of your users browsing habits. Top websites, times of day, content types, etc.
The majority of them (like squid and TMG) also include caching, so oft-made requests don't have to go out to the internet and back every time (e.g. the google homepage)