I want to configure Windows so that certain categories of websites are permanently inaccessible in a way that cannot be bypassed by changing DNS settings, using VPNs/proxies, accessing direct IPs, or installing alternate browsers.
I am looking for a technical, system-level solution using Windows features such as enforced DNS, firewall rules, Group Policy, AppLocker, user-account restrictions, and blocking tunneling tools. What is the correct approach to lock down DNS, prevent VPN/proxy usage, block unauthorized browser installs, and remove local admin rights so that this setup becomes effectively hardened?
This is a personal Windows device. I want to block access to specific known categories of unwanted websites using DNS filtering (such as services that classify domains into categories), combined with Windows system-level restrictions to prevent bypass. I understand no category database is 100% accurate; the goal is not perfect classification but strong practical enforcement. I want to remove local admin rights from my main account and apply DNS enforcement, firewall rules, Group Policy restrictions, AppLocker, and VPN/tunneling prevention from a separate admin account.
So far, I have researched DNS-based filtering (NextDNS, CleanBrowsing, ControlD), Windows Firewall configuration, and Group Policy restrictions, but each method alone is bypassable if the user still has admin rights. I am trying to understand the correct combination of policies and restrictions that will work together once admin rights are removed.
