Can anyone tell me if I'm heading in the right direction with this. First of all, approximately what percentage of a proxy server's workload/bandwidth consists of blocking access to restricted sites?

I was thinking that instead of using the proxy server to block access to restricted sites, you (as the system admin) could instead make a list of those sites that you want to deny network access to, and include them in the HOSTS file (for W2k machines). And if someone tried to access them, then your HOSTS file would just redirect them to a page on the intranet or something (anything actually). And you could deny rights to users from modifying this HOSTS file. Any thoughts on this?