How to Block Employees From Accessing Websites (Step-by-Step)

As an employer or manager, you've probably noticed staff browsing Facebook during work hours, or maybe you've discovered someone streaming Netflix when they should be finishing that quarterly report. 

A few years ago, a U.S. government employee visited 9,000 inappropriate websites in under seven months, using their work computer to access adult content linked to Russian pages that contained malware.

This person averaged 79 inappropriate sites every business day and connected an unauthorized USB drive and personal phone to their work computer, which got infected.​

That's an extreme case, but it shows why learning how to block employees from accessing websites matters. You're trying to protect company data, maintain network security, and avoid legal problems. This guide shows you how to control internet access effectively.

Reasons for Controlling Internet Access

Restricting internet access addresses clear operational risks. It also protects your bottom line since unmonitored browsing impacts business and employee productivity, network security, and legal standing.

Consider, for example, that significant time spent on non-work sites has a direct impact on your team's output. The key reasons companies limit internet access or restrict access entirely include:

• Productivity Losses: Distracting websites divert employees’ attention from critical business operations and directly impact business productivity. 
• Legal Compliance: HIPAA requirements for healthcare, CIPA standards for schools, and copyright laws that prevent unauthorized downloads from torrent sites​.
• Professional Environment: About 51% of employees working from home admit to browsing adult content on work-used devices, according to a Kaspersky survey. Companies block websites with adult content to maintain professionalism and protect all employees.
• Security Threats: When employees visit unvetted or harmful websites, they can expose your network to online threats like ransomware, malware, and phishing attacks.  
• Bandwidth Management: Streaming sites can use up to 7GB per hour for 4K content, and 84% of Gen Z employees admit to streaming at work, slowing business-critical applications.

Building Your Policy for Blocking Unwanted Websites

You can't block access to everything, and you shouldn't try. A good internet access policy targets specific categories and helps you block specific websites or services that cause the most problems, while supporting legitimate work needs. Let’s look at some categories and  how Control D can help you manage access:

Social Media

When you create a Control D account and go to your profile, you have two primary methods for blocking social media, plus a custom option.

Block Specific Platforms

1. Navigate to Services > Social. Here, you will find a list of 57 social media platforms. 

2. Toggle on any service you wish to block. 

3. This action will stop access on both websites and applications.

Block the Entire Category 

1. For a comprehensive block, go to Filters > Social and set the main toggle to Blocked. 

2. This will restrict access to all services classified as social media.

Create Custom Rules 

1. If a platform you use is not on the default list, you can block it directly. Locate Rules and click the + sign.

2. Add the domain you want to block, and either click create or set an expiry date if you only want the block active for a certain time. Click Create. 

Streaming and Entertainment

Streaming services can slow your entire network when several people are watching simultaneously. With Control D, you can block  access to a specific streaming service or set up a custom rule by following these steps:

1. Navigate to Services > Video. Here, you will see a list of 314 streaming services you can block.

2. Toggle on any (or all) of the services you want to block. 

3. To create a custom rule, go to Rules, click the + sign, and add the domain URL of the streaming service you want to block. Optional: Set an expiration date for your block. 

Time-Wasting Sites and High Risk Content

You can apply the same steps above to manage any sites that affect staff productivity or pose a risk for your network. We recommend separating these sites into two groups: High-risk content and productivity and time-wasting sites. 

High-risk content, such as phishing and malware sites, adult content, gambling sites, and torrenting and illicit file-sharing platforms, must be completely blocked. Use the Filters function to block these entire categories. This is the most effective way to protect your network and sensitive client data from threats.

For productivity and time-wasting sites, you can apply a more flexible strategy. For example, your firm may not need to block all shopping sites, but may want to manage specific platforms or limit access with time-based blocks. For example, you can grant access to shopping sites during lunch hour. Add Custom Rules to block any sites that are not on the default lists.

Common Methods for Blocking Websites

You have several technical options for implementing internet access policies. Each method has different strengths for blocking websites effectively.

DNS Filtering

DNS filtering intercepts domain name lookups before they resolve to IP addresses. When an employee types a blocked website into the search bar, the DNS filter prevents the connection. This is one of the most effective methods to block access to unwanted websites. That said, DNS filtering can't block specific pages within a website; it can only block entire domains. You manage access at the domain level rather than individual web pages.

Key benefits of DNS filtering:

• Works at the network level, automatically protecting all devices without installing software on each one.
• Blocks sites before any data transfers occur.
• No HTTPS decryption is required, which improves performance.
• Protects remote employees using company DNS servers when devices are configured to use the organisation’s DNS​.

Cloud-based DNS filtering is a cost-effective option. Control D’s solution includes management dashboards that let you adjust policies, view reports, and monitor blocked attempts. These comprehensive solutions support work in Active Directory environments and SSO for user identity.

Read more: To compare DNS filtering with broader web-level controls, read our Web Filtering vs DNS Filtering guide.

Network Hardware

Business-grade routers and firewalls can block employees from certain websites at the network edge.

Routers work well for small offices that don't need sophisticated filtering. It's straightforward to set up, blocked sites are added through the admin panel, and it doesn't require a subscription.

The downside is manual management and a lack of granular control; most routers offer limited categories, and managing rules for different users can be clunky.

Firewalls offer more granular control than basic routers. You can block specific IP addresses, domain ranges, or traffic patterns. And they work well combined with other methods to create layered network security.

They can be hardware appliances in your server room or cloud-based services. The primary drawbacks are their cost and complexity, often requiring a steep learning curve and dedicated IT management.

Read more: Learn how to set up Control D on your router for complete, network-wide protection.

Endpoint Software

Web filtering software installs on individual computers and controls what each device can access. This works for remote employees whose devices don't always connect to your internal network.​ Endpoint solutions offer:

• Category-based blocking with customizable policies for different user groups.
• Time-based rules that block distracting websites during work hours.
• Role-based policies supporting user permissions through Active Directory​.
• Browser extensions like BlockSite (easy to install, but can be bypassed)​​.
• Mobile Device Management (MDM) for smartphones and tablets.

Why Standard Web Filtering Fails: Countering Modern Evasion Tactics

Basic website blocking stops casual browsing but falls short against determined users who want to bypass internet restrictions and access bl ocked content. 

Encrypted DNS (DoH/DoT)

DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries, preventing traditional DNS filters from seeing which sites employees request.​ You can counter these tactics by:

• Disabling DoH through Group Policy settings in Windows environments.
• Configuring firewalls to block connections to known DoH servers at ports 443 and 853​.
• Using modern DNS filtering services that maintain up-to-date blocks on known encrypted DNS endpoints and surface bypass attempts for review​.

VPNs and Proxies

Proxy websites and VPN services route traffic through external servers, hiding the true destination. Your filter only sees the proxy or VPN endpoint, not the blocked site behind it.​ You can stop this by:

• Maintaining updated lists of proxy domains and VPN provider IP addresses.
• Using web filtering services with databases of known proxies and VPNs​.
• Deploying endpoint software that works independently of network connectivity.​

Browser-Level DNS Settings

Modern browsers let users change DNS settings independently of system-wide settings. An employee can configure Chrome or Firefox to use public resolvers like 8.8.8.8 or 1.1.1.1.​  Prevention methods include:

• Using endpoint software that controls browser settings through policies.
• Blocking outbound DNS traffic to external resolvers at your firewall level​.
• Configuring Group Policy settings to prevent DNS changes​.

Mapping Your Controls by Layer

Effective blocking requires controls at multiple layers:

• Endpoint: Web filtering software enforces policies on individual devices regardless of network location. Controls browser settings and monitors all internet activity.​
• Browser: Enterprise policies configure Chrome and Edge settings centrally through Group Policy for all Active Directory users.​
• Network: DNS filtering, firewalls, and router settings block sites for all devices connected to your internal network. Provides broad coverage without configuring individual devices.​
• Cloud (Secure Web Gateways, SWG / Cloud Access Security Brokers, CASB): Secure Web Gateways inspect all web traffic. Cloud Access Security Brokers control access to cloud applications. Both provide consistent protection for remote workers, office employees, and mobile users.​

Beyond Blanket Blocks: Granular Control with Role-Based Internet Restrictions

Different employees need different levels of web access. Your marketing team needs social media sites. Your IT staff needs access to technical forums and software repositories. Customer support might need YouTube to watch tutorial videos. One-size-fits-all policies don't work.

The solution is to create separate internet access policies for each department or job function. Instead of managing permissions for every individual, you use Active Directory integration. This lets you assign employees to existing groups (like “Sales” or “IT”) and apply a specific filtering policy to that entire group.

Examples of Role-Based Policies

Here is what this looks like in practice:

• Marketing Department: Full access to LinkedIn, X, and Facebook for managing company accounts and campaign research, including video streaming.
• Sales Teams: LinkedIn access for prospecting, but other social media sites and entertainment platforms are blocked.
• IT and Development: Access to Stack Overflow, GitHub, and technical documentation, including software repositories.
• Customer Support: YouTube access is limited to product tutorials and help videos.
• General Employees: Non-essential sites are blocked, while business-critical sites remain allowed.

Refine Policies with Time-Based Rules

You can add another layer of control by managing when sites are accessible. These time-based rules help maintain employee productivity without micromanagement. For instance, you can block access to distracting sites during core work hours, but automatically permit access during scheduled lunch breaks.

How Control D Can Help

You need DNS filtering that stops modern bypass tactics. Control D works at the network level, allowing you to create custom filtering rules called "Profiles." You apply these Profiles to your network or specific devices ("Endpoints"), and every device using that Profile is protected within minutes. There are no software installations and no complicated configurations.

The service detects when employees try to use DoH or connect to proxy websites and blocks these attempts before they succeed.

This “Profile” system allows for granular control. You can use broad “Filters” to block entire categories (like Gambling or Malware) while also using “Services” rules to block specific applications like TikTok or Steam. This means your marketing team can access LinkedIn (a “Service” you allow) while the “Social Media” category (a “Filter”) is blocked for everyone else.

You can also set time-based rules that automatically switch Profiles, blocking social media sites during work hours but allowing access during lunch breaks.​

Remote workers get the same protection as office employees because their devices query Control D's servers regardless of location. The dashboard shows blocked attempts and bandwidth patterns without tracking individual employees. You see that 50 people tried accessing gambling sites this month, but you do not know which specific person did it.​

Implementation takes minutes. Log into your router, replace your current DNS server addresses with Control D's addresses, and filtering starts immediately. The platform integrates with Active Directory for automatic user group assignments and works alongside your existing firewall and endpoint tools. When someone needs temporary access to a blocked site, you grant it through the dashboard for specific durations without creating IT tickets or running approval workflows.

Read more: Want the full step-by-step setup process? Read our complete guide: How to Restrict Internet Access (Block Content): Step-by-Step Guide for detailed instructions on creating profiles, configuring endpoints, setting up schedules, and monitoring your network.​

FAQs about Blocking Websites from Employees

How to Block Employees from Accessing Websites

Start with DNS filtering services like Control D for network-wide protection. Point your DNS settings to the filtering service and configure category blocks for gambling, adult, and torrent sites. Add endpoint software for remote workers, configure your firewall to block proxy sites, and create department-specific rules through Active Directory integration. Disable DNS over HTTPS via Group Policy and test before company-wide deployment.

Can an Employer Legally Block Websites?

Yes, employers can legally block websites on company-owned devices and networks in most jurisdictions. Courts recognize that companies have a legitimate interest in controlling their equipment and internet connections. Notify employees through written internet access policies in employee handbooks and require a signed acknowledgment during onboarding.

Different rules apply to personal devices in BYOD environments. Some industries face specific regulations, such as HIPAA for healthcare or CIPA for schools.​

How to Block Social Media Websites on Chrome?

For network-wide blocking, use DNS filtering services that block the social media category across all browsers and apps. For Windows business environments, configure proxy settings through the Group Policy Management Console to block social media domains.

This affects Chrome because it uses Windows proxy settings. For individual devices, install browser extensions like BlockSite, but remember that employees can bypass them by switching browsers. Create role-based exceptions for marketing teams needing social media access.​

What is the Most Effective Method for Blocking Websites?

DNS filtering gives you the best effectiveness and performance balance, blocking websites before data transfers occur. Combine it with endpoint software for complete coverage of remote workers.

Add firewall rules to block proxy services and VPN providers. Implement controls at multiple layers, including endpoints, browsers, networks, and the cloud. Use Active Directory integration for role-based policies and time-based rules that block distracting sites during work hours. Pair technical controls with clear policies and employee education.