Contrary to some other answers, DNS is exactly what you would use to do this. First, you will need to ensure everyone on the network is using your DNS forwarder to resolve queries. You can control this as part of your DHCP configuration. Make sure you set the DNS settings to use your own DNS server(s), then configure those servers as resolvers or forwarders so they can resolve queries for the outside world (www.cnn.com for example). Once that is in place, you can create a forward lookup zone for whatever you want. If you want to kill myspace.com, setup myspace.com as a forward lookup zone, then create a wildcard 'A' record that points to 127.0.0.1 and it will become inaccessible. If you do this, I would direct users to an internal web server that returns a copy of the company's Internet use policy instead of a dead-end.
For basic names such as "crm" you can create a host called "crm" as an 'A' record within the default domain for the network. If your default domain is mycompany.local, you would create "crm.mycompany.local" and point it to whatever IP your CRM web server is located at. When someone puts "http://crm" into their browser, the OS will try to do a DNS lookup for "crm" and append the default domain "mycompany.local" to it automatically, resulting in "crm.mycompany.local".
One caveat is that this will only work for those using your DNS servers as their resolvers. If someone decides that they really want to get to myspace.com, they can change their TCP/IP settings to ignore the DHCP assigned DNS servers and put in their own (such as those provided by OpenDNS, among others). You can control this in some cases using Active Directory Domain Security Policies for Windows systems, not sure if you can limit that on a Mac though.