This issue seems to come up for me all the time. There are a number of ways I've dealt with this, as suggested above: DD-WRT, PF Sense, as well as comprehensive Threat Management solutions.
Fancy solutions like the Barracuda stuff or Sophos are great, but expensive.
You can get the job done with DD-WRT. My experiences putting this on consumer routers (probably 15 distinct models on 30 devices over the past 8 years) haven't been great. I've found stability to be an issue. Some of this could be DD-WRT code over the years, some could be the consumer routers burning out. But I've repeatedly had instillation becomes unstable over time.
My current budget preference is pfSense on some NetGate hardware. Something like this little ALIX based system (
http://store.netgate.com/Netgate-m1n1wall-2D3-2D13-Red-P218C83.aspx). I've used 3o r 4 of the ALIX ones and two of the large Hamikua's and had great results in terms of performance and stability. The pfSense is interface is great, and it also leaves you open to a bunch of fancier configurations in the future. On PFSense you may want to look a Squid for white listing.
Some other ways you could accomplish this, your mileage may vary here (so please don't throw tomatoes):
* Stand up a second DNS server that doesn't recurse up the hierarchy except for the approved sites. Assing the restricted employees to these DNS servers, setup separate VLANs if you want to prevent an enterprising youth from cheating.
* This is opposite of white list, but I've created an LMHosts file that forces resolution of (say the top 1000 sites) to 127.0.0.1. I then distribute the file on a regular basis via script, or group policy
* If there is a domain configure group policy to set proxy settings for all sites except the white listed ones.
Best,
-eric