You could turn off DHCP by default or controlled by a cron job, so that the contents of /etc/hosts take control over name resolving. This means that only hostnames included in that file will be resolved.
Or you can keep DHCP running, but set it so that the /etc/hosts file read first (actually a common default anyway) and you can make the prohibited sites point to localhost, so that those sites will never be displayed, but your local webserver is called with it's default index page.
All this will not help, if the kids know the IP number of the site, because then they will bypass all name resolving instances completely. You could still play around with IP masquerading to modify harmful incoming TCP-packets by redirecting them to some non-existent IP on your local network, but that's quite overkill and needs a lot of tweaking.
If your Windows PC's are configured to be launched via network from a central server (mostly a business solution) then you have some control over booting. But I think that creating accounts with limited permissions (unable to install applications) should be enough for kids.
I actually think that it might be better to talk straight with the kids and give them some trust. Check the browser history to see where they are surfing and talk with if you see something offending. Otherwise this whole thing becomes a prison measure.