Blocking websites on an office network serves multiple purposes: improving productivity by limiting access to social media and entertainment sites, protecting users from malicious websites, enforcing acceptable use policies, and meeting compliance requirements in some regulated industries. There are several approaches with different levels of control and complexity. This guide covers them all, from the simplest per-device fix to enterprise-grade solutions.
Method 1 (hosts file) blocks one website on one PC – useful for a quick fix. Method 2 (router DNS) blocks across your entire network but is easy to bypass. Method 3 (Cloudflare Gateway) provides free category-based filtering. Method 4 (FortiGate firewall) provides enterprise-grade control with reporting. Method 5 (endpoint software) enforces policies even on remote devices.
Method 1: Windows Hosts File (Single Device, Free, Instant)
The Windows hosts file is a local text file that maps domain names to IP addresses. By redirecting a domain to 127.0.0.1 (your own PC), the website becomes unreachable on that specific machine. No router access or special software is needed.
Open Notepad as Administrator (right-click Notepad in the Start menu, select Run as administrator). Go to File > Open. Navigate to C:WindowsSystem32driversetc. Change the file type dropdown from Text Documents to All Files. Open the file named hosts (no extension).
At the end of the file, on a new line, add:
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
Save the file. The website is now blocked on this machine only. Add both the www and non-www versions of the domain for complete blocking.
A technically capable user can find and reverse the hosts file change, or simply change their DNS settings to bypass it. For reliable enforcement, use the firewall or endpoint management methods described below.
Method 2: Router DNS Block (All Devices on Network)
Most modern routers include a Parental Controls or Access Control section that allows specific domains to be blocked for all connected devices. Log into your router admin panel (see our guide on finding your router IP address), navigate to Parental Controls, Access Control or DNS Settings, and enter the domains you want to block. The router will refuse to resolve those domains for any device connected to the network.
This is a simple and effective method for small offices, but it has two limitations: it only applies to devices on your network (not staff using mobile data or VPNs), and the blocking granularity is limited to full domains rather than specific pages.
Method 3: Cloudflare Gateway (Free, Category-Based, Network-Wide)
Cloudflare Gateway is a free DNS-based security and filtering service. You set up filtering policies in the Cloudflare dashboard and then point your router’s DNS servers to Cloudflare Gateway addresses. All DNS queries from your network pass through Cloudflare, which applies your policies.
Sign up at cloudflare.com/zero-trust. Create a free account. Under Gateway > Policies > DNS, create a new policy. You can block by category (Social Media, Adult Content, Gambling, Streaming Video) or by specific domain. Cloudflare will provide two DNS resolver addresses. Log into your router admin and update the DNS server settings to these addresses. The filters apply immediately to all devices on the network.
The free tier is sufficient for most small and medium businesses and covers the most common blocking needs without any hardware investment.
Method 4: FortiGate Next-Generation Firewall (Enterprise, Full Control)
For businesses that need comprehensive web filtering with detailed logging, user-based policies and application control, a FortiGate NGFW with FortiGuard web filtering is the professional solution. FortiGuard classifies over 300 million websites into 75+ categories and updates in real time.
With FortiGate you can block by category, by specific URL, by user or user group (certain staff can access sites blocked for others), and set time-based policies (e.g. allow social media during lunch only). Full logs show exactly who accessed what and when, which is valuable for both security and compliance purposes.
Method 5: ManageEngine Endpoint Central (Per-Device, Works Off-Network)
Endpoint Central allows IT administrators to deploy browser management and web filtering policies directly to individual Windows devices. Crucially, these policies travel with the device – a staff member working from home or using mobile data is still subject to the policy. This is essential for remote workers and for ensuring compliance when devices leave the office network.
Start with Cloudflare Gateway (free) for basic network-level category blocking. Add ManageEngine Endpoint Central managed by Cybergate for per-device policy enforcement that follows devices outside the office. Scale to FortiGate when you need detailed logging and user-based policies. Cybergate can advise on the right solution for your headcount and budget.
Need IT Support in Malaysia?
Cybergate provides cybersecurity Malaysia for businesses across KL, Selangor, Negeri Sembilan and Melaka. Our team is available Monday to Saturday, 9am to 6pm.