Have you considered using web proxy software? In my small network, all direct internet access is denied by the router - everything has to go via the privacy-enhanced proxy running on a server. The URLs get logged, URLs are restricted and the HTML is filtered to remove most of the normal dross/abuses such as pop-ups, cookie tracking, advertising, etc.
With the client proxy configuration set up properly, all local content is accessed directly while all internet access is via the proxy.
See
http://www.privoxy.org/