Make bypassing annoying.

1. On iPhone or iPad, open Settings → Wi-Fi.
2. Tap the blue i next to your network.
3. Tap Configure DNS.
4. Switch to Manual.
5. Delete old DNS servers if they are listed.
6. Tap Add Server and enter a family-safe resolver such as 208.67.222.222 or 208.67.220.220.
7. Tap Save.
8. On Mac, open System Settings → Network → Wi-Fi → Details → DNS.
9. Add the same resolver there too.
10. Test a known blocked site in Safari and in any other browser still installed.

If you want provider-side rules or account controls, sign up for the DNS service’s dashboard and set those limits there too.

1. Keep only one browser if you can.
2. Remove the browsers you do not need.
3. In Screen Time, keep the adult-site block from Guardrails active.
4. Use Allowed Websites Only if you need the stricter version.
5. Turn off app installs that make it easy to add another browser.
6. Test from a second browser before you stop.

1. Open Settings → Network & internet.
2. Tap Private DNS.
3. Choose Private DNS provider hostname.
4. Enter a family-safe hostname from your DNS provider.
5. Tap Save.
6. Open Chrome and test a blocked site.
7. Test any other browser you left on the phone.
8. If one browser still works, remove it.

1. Keep Family Link in place from Guardrails.
2. Remove browsers you do not need.
3. Keep SafeSearch on.
4. Keep Restricted Mode on in YouTube.
5. Set Google Play approval so new browsers need permission.
6. Keep the parent account password off the device.

1. Open Settings → Accounts → Family & other users.
2. Under Other users, click Add account.
3. Choose I don’t have this person’s sign-in information.
4. Choose Add a user without a Microsoft account.
5. Create the daily account first.
6. Click that account and choose Change account type.
7. Leave it as Standard User.
8. Create a second account for admin recovery.
9. Make that one Administrator.
10. Give the admin password to a trusted person.
11. Use the standard account for everything day to day.

If the same person owns both accounts, it is not a lockout. It is just a delay.

1. Sign in to the standard account.
2. Open Settings → Network & Internet.
3. Set a family-safe DNS resolver if your adapter settings allow it.
4. Open Notepad as Administrator.
5. Open C:\Windows\System32\drivers\etc\hosts.
6. Add blocked domains one per line, mapped to 127.0.0.1.
7. Save the file.
8. Open Command Prompt and run ipconfig /flushdns.
9. Test the block in Edge.
10. Test the block in any other browser still installed.

1. Sign into the admin account.
2. Right-click the hosts file and open Properties.
3. Go to Security → Advanced.
4. Select the standard account entry.
5. Remove write access.
6. Leave write access only for the admin account.
7. Apply the changes.
8. Sign back into the standard account.
9. Confirm the file is readable but not editable.
10. Keep the admin password with the trusted person.

This is the part that makes the setup stick. If the standard user can edit hosts, the lock is weak.

1. Keep Microsoft Family Safety active if you are using it.
2. Use Edge for the managed account if you depend on Family Safety filtering.
3. Remove or block browsers you do not need.
4. Block portable browser installs if you can.
5. Use AppLocker or Group Policy if your edition supports it.
6. Do one test after each change.

1. Open a terminal.
2. Run sudo nano /etc/hosts.
3. Add blocked domains, one per line, mapped to 127.0.0.1.
4. Save with Ctrl+O, press Enter, then exit with Ctrl+X.
5. Set a family-safe DNS server at the system level.
6. Keep one browser for daily use.
7. Test the site in your browser and again after a reboot.

1. Use a standard user for daily work.
2. Keep root or sudo access separate.
3. Change the hosts file owner to root:root if needed.
4. Make the daily user read-only on that file.
5. If your distro supports it, make the hosts file immutable after you finish.
6. Use ufw, firewalld, or iptables to block DNS to anything except your chosen resolver.
7. Remove extra browsers and browser profiles you do not need.

For strong lockout, the machine and the network should both block the same thing.

1. List the sites you actually need.
2. Block everything else at the router, proxy, or firewall.
3. Keep the allowlist small.
4. Have the trusted person hold the override credentials.
5. Review the list before you add anything new.

1. Open a browser on a device connected to the router.
2. Type the router address into the address bar. Common ones are 192.168.0.1 and 192.168.1.1.
3. Log into the router admin page.
4. If you do not know the login, stop and get it from the trusted person or the ISP paperwork.
5. Find the WAN, Internet, DNS, or Advanced section.
6. Set the primary DNS to a family-safe resolver or your own filter.
7. Set the secondary DNS too.
8. Save the settings.
9. Reboot the router if it asks.
10. Test a blocked site from a device on the Wi-Fi network.

1. Change the router admin password if you have not already.
2. Give that password to the trusted person.
3. Disable guest-network tricks if the router offers them.
4. Block outbound DNS to anything except the chosen resolver if the router supports it.
5. Turn off DNS-over-HTTPS override options if the router exposes them.
6. Test from a guest network too.
7. If the router has device allowlists, use them only if you really need the hardest setup.