1) I don't really see a problem with this, other then the fact I personally don't like to clutter root's home directory with system configuration files. In general /etc is the "correct" place for system configuration files to live.
2) If you want to do it by domain then the only thing I can think of is a two stage iptables script system. Stage 1 drops everything incoming accept replies to outgoing requests.... then you bring up the interface... then the stage 2 script does all the specific dropping such as your www.yahoo.com
rule. This will give a very small window during boot up where a user could get to www.yahoo.com,
but it allows you to bring up your interfaces without having any window for external attacks. If this box is a router you could always bring up the local network routing rules in the second stage so that nobody could get through the box till all to the outside world until all your other rules were applied.