As you are conducting an investigation, you should really image the HDD using a forensics tool like EnCase or Vogon, and analyse the data from the image, not from the original HDD. Otherwise your evidence is open to challenge by the employee in question.

Also, does the HDD have a username and password unique to the individual under suspicion, or does it have a generic logon? If the latter, then the "suspect" may squirm out of it by claiming that "someone" else must have used the laptop for nefarious purposes. They may also use this defence if the laptop has been stored somewhere where other members of staff had access. A police officer in the UK under investigation for viewing paedophile material on the net successfully defended themselves in court using exactly this defence.

I also seem to remember that a suspected "hacker" successfully defended themselves in court by claiming that a trojan was on their PC that may have been used by someone else to perpetrate the hacks in question.

From the defence point of view, its all about reasonable doubt, and when a judge/jury or even an internal disciplinary committee don't understand the technical issues, then that reasonable doubt is fairly easy to establish.

On the plus side, my experience is that if all you're after is bringing the employee into line, then confronting them with whatever evidence you've gathered usually results in them blubbing and confessing all. If they don't understand the issues surrounding the integrity of evidence, they usually consider themselves caught "bang to rights" even if you do more than show them the contents of their IE History folder. But a more savvy employee may brazen this out, and then your evidence handling becomes an issue.

In short, your internal procedures for handling evidence (which must stand up to third party scrutiny if necessary) are as important as the actual evidence you collect.