realistically there's very little you can do. You can block at the dns level or content filtering level, but any reasonable kid will get around such a measure.
You can enforce operating system restrictions, but then youll have to avoid them booting off a usb pen into their own O/S.
You can block at the network level, but there's nothing to stop them using wifi to steal your neighbours connections and downloading whatever they want.
You can even do do all of the above, and then they'll use their iphone to go to the sites you wanted banned.
Point is, you can try all sorts of things but the likely outcome will simply be resentment and causing them to look for ways to break the measures (with success in all likelyhood).
The best measure you can take is education, teach them whats good and whats bad, and why. Teach them how sites can infect them, how viruses work, and why computer laws exist.
Do this, and you may even steer them into a career.
edit: Oh, and i'd say theres FAR more harm done by using a computer 15 hours a day sat on your butt every day than viewing adult material. Being smart will prevent their brains being destroyed but a destroyed body is a lost cause.
My summary: Limit the time on the machine, not the usage patterns.
+1 for OpenDns. The stats are great and you can even see if they tried to visit any sites as well as a record of every dns lookup made by your network. Network speed is not affected at all and browsing speed usually increases over using ISP based DNS servers. – Chris_O – 2010-09-07T17:48:09.173
1Care to explain how it works? – Ivo Flipse – 2010-09-07T19:56:17.927
@Ivo: OpenDNS servers can block certain queries, depending on the source IP address - you would get an OpenDNS-hosted page instead. (See also: NXDOMAIN breakage.) – user1686 – 2010-09-07T20:24:04.657
1The problem with DNS blocking is that it is pretty easy to get around for a lot of sites, by just pinging the domain on a site like www.nwtools.com, and then just using the obtained IP address in the browser address bar. Intelligent kids could find this out. – paradroid – 2010-09-07T20:33:15.337
I meant within his answer @grawity – Ivo Flipse – 2010-09-08T07:48:38.587
@jason404: The trick won't work with any site that is hosted on a "virtual domain", where many domains are served at a single IP address. (You would need admin rights for
/etc/hosts
, and if you have that, you might as well change your DNS servers.) – user1686 – 2010-09-08T13:16:00.013@jason404: Also,
s/pinging/looking up/
– user1686 – 2010-09-08T13:17:01.1501@grawity: Yes, I know, I said 'a lot of sites'. It won't work with shared servers or subdomains. Also, I mentioned using 'a site like www.nwtools.com', not from local command line, so that point is invalid. – paradroid – 2010-09-08T15:39:49.253
@grawity: Pinging the domain also gives the IP address, although it would look at NetBIOS names if done locally. I just said ping as it is clearer in this context. – paradroid – 2010-09-08T15:42:17.703
@jason404: Only as a side effect. (For example,
ping6
on Linux doesn't.) In general, "to ping" means (at least as I know it) "send an echo request and wait for replies". Not "look up a machine's network address". – user1686 – 2010-09-08T20:45:20.050@grawity: In order to ping, the program needs to resolve the IP address. Anyway, I said 'pinging the domain on a site like www.nwtools.com', and do you expect an IPv6 ping program like ping6 to return an IPv4 IP address? – paradroid – 2010-09-08T21:02:16.417
@jason404: 1) The 'ping' action is however completely unrelated. You could as well say "open the address in your browser and copy the IP from
netstat
." 2) No, I don't. You expect it to return an IP address. (I never did mention IPv4 specifically.)</flamewar>
– user1686 – 2010-09-08T21:11:18.5404Are you guys really arguing about the semantics of the word "ping"? Does it really matter? – Sasha Chedygov – 2010-09-09T08:37:41.993
Just to lower the bar on this flame war: consider that some servers block ICMP. Carry on. – hyperslug – 2010-09-13T11:02:25.680