Hello,
Indeed, there're several ways to implement a solution for your requirements. Though, I think the best way is to tackle it at DNS level. For that there're 2 options; intercepting dns queries via hooking winapi call for name resolution or tunneling dns queries through a local dns server.
Hooking is quite a complex process not to mention its hacky nature so I believe it should be used only as the last resort. It's basically modifying system dlls and intercept winapi calls on the run, acting like a virus. No wonder, antivirus softwares don't like it and raise the alarms. I won't get into further detail but I think it's an overkill for this project.
Second option is using a local dns server. All we have to do is altering the network connection properties and assigning a dns server as 127.0.0.1. It'd forward the queries to the actual dns server you use only if the domain to be resolved is in website allow list and simply ignore that request if it's not. Of course, such dns server doesn't have to be local to each machine. If you prefer you can deploy a single instance on your network and simply set the dns in properties to its address. For the server we can utilize a library in the application itself or better we can use a lightweight dns server and command it with the application.
Anyway, I am planning to use c# to implement the solution. Per your request, it'll target win7+. I expect to be ready in 10 days at most, thanks.