Hosts file is not good enough, especially with windows.
Deploy the blacklist at the proxy/fw/perimeter control devices (ideally also nameserver, point them all to a blackhole, bonus points for logging queries) and give the admin an elevated account on the proxy, dedicated tunnel, seperate VLAN w/ "internal VPN" or similar solutions. Ideally also let him use outside dns instead so you can lock down the main one properly.
Better for security that way, also helps with a common scenario where a computer is trying to go places with "nobody" logged in or a malware-hijacked admin account, rootkit that doesn't care about your host file etc. Also helps when someone plugs another computer into LAN as well, poor man's limited port security.
You can't trust the local computer/account/whatever to behave.
I'm going to assume you can't say "no" to the owner, so be sure to get a written & documented CYA from this particular admin/owner that "needs" to go everywhere so when he goes somewhere he shouldn't and all the data gets jacked you have that CYA. These types have a tendency to know too much for their own good.
Oh, believe me, if I could deploy all that, I already would've. There's literally zero budget. Long story short, the laptop belongs to a very non-techie friend of mine, and she lets everybody and his brother borrow it. It gets even worse, since despite her 10GB monthly data cap, she let's everybody use her WiFi, and routinely has 6 devices connected at any given time.
*edit* Basically, I'm locking down the laptop first, then I'm going to see what type of control that Netgear R6100 can exert over the other devices, priority/QoS wise.