Make it hard to reverse alone.

1. Go back to Guardrails first if you need the basic Screen Time setup.
2. Keep Screen Time on and use the strongest content restrictions available.
3. Have a trusted person hold the Screen Time passcode.
4. Use a network-level filter too, so the phone is not relying on device-only blocking.
5. Keep extra browsers and app installs locked down.
6. If the device is your own, do not keep the Apple account password on the phone.
7. If the device belongs to a child or partner, the trusted person should hold the recovery method.
8. Test the block in Safari and in any other browser still installed.

1. Do not keep the Screen Time code in your own notes.
2. Do not leave the Apple account password saved on the phone.
3. Move account recovery to the trusted person where possible.
4. Test one undo step on purpose so you know where the weak point is.

1. Go back to Guardrails first if you need Family Link.
2. Keep Family Link or another managed setup in place if the device supports it.
3. Use Private DNS or a router-level filter too.
4. Remove browsers you do not need.
5. Lock Settings and app-install paths as much as possible.
6. Have a trusted person hold any password or PIN that reverses the setup.
7. Do not leave the recovery email signed in on the phone.
8. Check that the Play Store cannot install new browsers without approval.

1. Use host-file blocking or firewall rules only if you know what you are doing.
2. Keep a backup of the setup somewhere else.
3. Use a recovery password that is not on the phone.
4. Test whether a second browser or VPN can still get out.

1. Go back to Guardrails first if you need the Family Safety setup.
2. Use Microsoft Family Safety if you can.
3. If not, use a standard user account with a separate admin.
4. Keep the admin password with a trusted person.
5. Force web use through Edge if you depend on Family Safety filtering.
6. Use DNS filtering plus hosts-file blocks as backups.
7. Block alternative browsers and uninstall paths where possible.
8. Do not let the standard user know the admin password.
9. Do not leave the admin account signed in during daily use.

1. Use Group Policy or AppLocker if your edition supports it.
2. Restrict Registry Editor and other obvious escape hatches.
3. Block outbound DNS to anything except your chosen resolver if you can.
4. Keep logs somewhere a trusted person can review.

1. Make a standard daily account and a separate administrator account.
2. Log in with the administrator account.
3. Open C:\Windows\System32\drivers\etc\hosts in Notepad as administrator.
4. Add the blocked sites.
5. Open the file properties.
6. Go to Security → Advanced.
7. Remove write access for the daily account.
8. Leave write access only for the admin account.
9. Sign out of admin and use the standard account for normal work.
10. Give the admin password to the trusted person.

This is the kind of step that makes the lockout real. The daily user should not be able to casually undo it.

1. Go back to Guardrails first if you need the Mac Screen Time setup.
2. Start with Screen Time, then go beyond the default adult-site block if needed.
3. Use Preference Restrictions to lock Screen Time settings.
4. Use a separate admin account if you want another person to hold the password.
5. Remove extra browsers and lock app installs.
6. Add DNS or hosts-file blocking if you need another layer.
7. Do not keep the admin password in the same place as the daily login.

1. Use configuration profiles or MDM only if you already know the tooling.
2. Make sure the user cannot remove the profile alone.
3. Put the override password somewhere else.
4. Test after every macOS update.

1. Log into the router or gateway admin page.
2. Change the router password if you have not already.
3. Set the DNS to a family-safe resolver, Pi-hole, or another filter you trust.
4. Block outbound DNS to anything except that resolver if the router supports it.
5. Disable guest network DNS tricks if you see them.
6. Give the router password to the trusted person.
7. Test the filter from a device on Wi-Fi and on a guest network if you still have one enabled.
8. Change the SSID or Wi-Fi password after you finish if you need to remove old devices from the network.

1. Create one standard user for daily use and keep root access separate.
2. Edit /etc/hosts as root and add blocked domains.
3. Set the file owner to root:root and keep it readable, not writable, by the daily user.
4. Use ufw, firewalld, or iptables to block DNS to any server except your chosen resolver.
5. Remove browsers you do not need or keep only one browser on purpose.
6. If your distro supports it, make the hosts file immutable after you finish.
7. Do not keep the root password in the same place as the daily account login.

This is stronger when the router already blocks fallback DNS. The machine and the network should both say no.

1. List the sites you actually need.
2. Block everything else at the router, proxy, or firewall.
3. Keep the allowlist small.
4. Have the trusted person hold the override credentials.
5. Review the allowlist before you add anything new.