No matter what you do, he can always circumvent it - You don't have access to his terminal (actually you can "get" that, since you are both on the same network, but "getting" it is a different issue
) , cant inject and protect the hosts and also can't use opendns parental controls.
You could try url filtering in the router, provided your router has that option but it would only stop him as long as he does not find a proxy you forgot to block. (but at least its a viable deterrent to some extent, since proxy speeds would be somewhat lesser) My suggestion, ask him politely not to visit these sites, back that up with a threat to permanently disconnect him from the bb, and finally filter his mac if he connects wirelessly or disable the lan port if he connects with cable.