You can do it a couple of ways. You can whitelist sites, where all sites not on the list are automatically blocked, or you can blacklist them, where sites matching certain characteristics or on a particular list are blocked. Neither way necessitates logs or monitoring.

Hmm, what about this approach - monitoring adds a certain action on top of that blocked (or not) website you try to access. It gets reported, your credit/social/whatever score goes down. As a kid, you might have a talk with counselor, or your parents with principal. As working adult, you might get a warning or get fired. Your access to foreign travel, sim card, voting etc. might get altered.

That's both monitoring and blocking. I'm not sure you can block without monitoring.

Banks are strict on their work laptops. - Everything is tunneled through VPN

- 2 FA

- geofencing at VPN level (you can't take work laptop to Russia, India, China, etc)

- everything is whitelisted. Some employees can only access x.theirBank.com, everything is else blocked. This is the case with tellers, folks in the retail banking

- even for IT/dev, one should get explicit permission to get access to youtube, github

- every work laptop comes with an agent like ZScalar, which enforces these policies by coordinating with a central server.

...but that sounds like monitoring?

For example, downloading a list of prohibited domains to your device and running a local firewall. “Monitoring” in this context implies that someone will be able to later review the websites you’ve visited or tried to visit.

Every enterprises local firewall I know of can report back to a central system for logging.

I don’t have any special knowledge of enterprise firewalls; parent just asked how it was possible.