Acrylic DNS Proxy for Restricting Web Access

From time to time situations arise where a client wants to deploy a PC with very limited internet access.  For example, one of our clients uses a web timesheet application and has a PC on the shop floor that hourly employees use to sign in and out on.  How do you make it so that employees cannot also use that machine to visit other sites, waste time, catch malware, etc?

Acrylic DNS Proxy is a good solution for this situation.  Not only does it do the job, it is free, open source software.  And when I emailed a stupid question to the developer, Massimo Fabiano, he responded within hours with a helpful reply.

To add to the "documentation" available on the web for Acrylic DNS Proxy, here are some things I've learned about it:

• In the configuration file, if you add just one site to the [WhiteExceptionsSection] you activate the "blacklisting" feature of the software, and all sites are blacklisted except those you add to the [WhiteExceptionsSection].
• Wildcards are said to be accepted in the software's custom Hosts file, but they do not work in the configuration file.  So to whitelist certain web pages, you have to track down all the secondary host names involved in accessing that web page and add those names in the [WhiteExceptionsSection].
• For example, it is not enough to whitelist mail.google.com to provide access to Gmail.  At a minimum, you also need to add accounts.google.com.  To get all the button images/text, you also need to add ssl.gstatic.com and clients2.google.com.  So, as you can see, it gets to be a fair amount of work if there are more than a few sites that people need to be able to access.
• In a peer to peer local-area network with shared folders/drives, without a fully-qualified domain name, host names don't seem to work.  I added a FileServer machine to the Hosts file, and tried to map drives to the FileServer.  Unfortunately, looking at the Acrylic logs, Windows (?) appends a random domain to the host name (e.g. FileServer.router4290.local) and Acrylic blacklists the request.  So I map to the IP of the FileServer instead.  Not a big deal if it has a static IP.
• When you need to download updates and patches to the PC, or otherwise open the machine up to the Internet for a short period of time, it is a simple matter.  Make a copy of the configuration file.  Delete all the entries in the [WhiteExceptionsSection] of the configuration file. Save the edited configuration file. Restart the Acrylic DNS service.  Now the machine can go anywhere on the Internet.  When you are done, replace the configuration file with the copy you made and restart the Acrylic DNS service.