Whatever method you use for URL Blocking can always be defeated by using a proxy server
But for someone with limited administrative rights, the following may work for non-techie kids
Method1.
Assuming that all the nodes of the child domain are in one location, and are on the same NW switch
Reconfigure one of the computers in the domain to serve as a gateway to the rest of the network.
You can install an opensource proxy like squid and block whichever site you want to block.
Method 2.
Go to every windows machine open the hosts file and append the lines below
The host file is located at "%SystemRoot%\system32\drivers\etc\" for both win32 and win64
where %SystemRoot% is the windows installation folder e.g. "C:\windows"
This will redirect any facebook url requests back to localhost