Thanks everyone for the comments! Still, in the end it turned out to do what I wanted. At least in one place. If anyone is interested, I installed kaspersky crystal (it has a parental control module) and kerio winroute (a regular firewall). The first blocks applications on a schedule and completely blocks porn sites, the second blocks the sites I have chosen on a schedule. Both are very resistant to traversal. As soon as I did not try to get around - it did not work. Of course, it will not save you from livecd, but other methods do not work due to the high security of the Kaspersky antivirus and the low-level driver from kerio. The problem with kerio was that it didn't have protection against changing settings. I looked in the task manager - there are two processes from kerio, the first is directly engaged in blocking, the second is for the tray icon, where these settings actually change (disable / enable, launch the admin panel). If this second process is closed, the firewall still works and sites are blocked. Therefore, I took it and banned the launch of this second process from kerio in the same Kaspersky. Well, of course, I put a password in Kaspersky to change the settings. Even if I had to dance with a tambourine, but in general it works as it should. It is also necessary to add the kerio process to the list of trusted applications of Kaspersky. Well, when installing Kaspersky, he will swear at incompatibility with kerio, but you can forget about this and click "Skip" in the corresponding installation window. Well, of course, I put a password in Kaspersky to change the settings. Even if I had to dance with a tambourine, but in general it works as it should. It is also necessary to add the kerio process to the list of trusted applications of Kaspersky. Well, when installing Kaspersky, he will swear at incompatibility with kerio, but you can forget about this and click "Skip" in the corresponding installation window. Well, of course, I put a password in Kaspersky to change the settings. Even if I had to dance with a tambourine, but in general it works as it should. It is also necessary to add the kerio process to the list of trusted applications of Kaspersky. Well, when installing Kaspersky, he will swear at incompatibility with kerio, but you can forget about this and click "Skip" in the corresponding installation window.

I would take a router and install a modified (custom) firmware on it with the ability to install software. This will allow you to install Squid or 3proxy, which allow you to restrict L7 access according to any rules. How to wrap traffic on a proxy is another matter. Either transparently (if the computer user has administrator rights), or register a proxy in the browser (if the account has limited access rights, do not install other browsers and do not change proxy settings). Transparent proxying is still preferable.
It is worth remembering that this configuration is easily bypassed by using a VPN or other proxy server.

Buy a router, stock firmware often has such functionality, if not, dd-wrt will save.

TrafficWasher and prevent the task manager from running for the user, the simplest.

I recently asked myself the same question. The firewall in the router turned out to be too primitive and could not provide the necessary functionality. As a result, after trying a bunch of options, I came across a free service Rejector . The service works as a DNS server. Allows you to configure filters on a schedule, everything is done quite conveniently.

Here I was “inserted from Ispumizan” (c) for the last time on this topic :)