My first reaction is that perhaps simply telling the employee that you're aware of the non work-related internet access and to ask them to stop. Perhaps remind them of whatever official internet policy you have. If they're an adult and a good employee that cares about their job, that should be enough and won't cost you or your practice a dime. If they continue to abuse it, then perhaps Wheelz idea is appropriate.
I don't know about specific software packages that do this, i'd be checking the great Google too.
But you might already have a solution in the router that's serving up your network. Some have filtering options. I know that my home router (D-Link DiR-655, $100) has website filtering options that can be placed on specific MAC addresses or IP addresses on the network. It think it even allows for time-based restrictions, like blocked/allowed from 9-5, etc. As I recall, it can do black-listing (do not allow list) or white-listing (only allow list). It's pretty cool, for a simple home router.
It sounds like you want to white-list sites. So if you have a list of websites that they can access, you could tell the router to only allow those websites on certain computers. All other sites will simply be blocked. And of course, you'd leave full access to the computers that need to retain full access.
All that said, I don't actually use those features because I have no need to. But if that was an option that you were considering, I'd be happy to take a closer look at what the router can and can't do and let you know.
Something to think about, anyway.
