Here’s a principle to abide by: if you can sit down at a Win98 computer and enact a particular restriction (deleting regedit, for example), anyone sitting at that computer can un-enact that same restriction (barring extreme cleverness on the part of the access control software which none actually implements because it’s not worth their while: if you cared that much, you’d be using a secure OS, not their software). The trick is to make the restrictions somewhere else, such as on the network itself, that the user doesn’t have control over.
It’s actually very cheap to do this in a pretty bulletproof way, but there is definitely a time investment unless someone on your IT team is a tinkerer of the right sort. But this is a pretty useful thing to learn how to do, so you might consider it worthy of experimenting with at home, in which case you can get it right and then just bring it to work and impress everyone.
Step one: firewall your network. This can be set up for free using something like m0n0wall and a Win95-era PC found in someone’s storage closet. The firewall goes someplace “central” that the students can’t access, and goes between the main school network and the internet. M0n0wall is kind of neat in that the whole thing (your configuration included) can be burned onto a CD that the computer boots from, so no hard drive is even necessary. This firewall should be configured to block all outgoing connections with exceptions for critical school needs (e.g. connections to district servers)* and/or specific computers in secure locations (e.g. some offices), and one last exception: the proxy server.
Step two: set up a proxy server. I can’t particularly recommend a specific piece of software here, but the important part is that you can install this on any computer you want, so long as it’s one the students don’t have control over. This means it can be a windows machine running some point-and-click-to-admin proxy software, or it could be running squid, or whatever you want (it could even be running on the same computer that’s acting as the firewall). Then you configure it with the particular whitelist and/or blacklist and/or time-based rules you want, and it is allowed free access to the internet, but acts as a filter for all requests from the students. If they disable their proxy settings in the browser, they get nothing at all because the firewall blocks them.
This is not an impossible system to defeat, but it is strong enough that defeating it requires real network hacker techniques such as compromising off-limits computers or forging network addresses, both of which are probably serious enough to get you expelled regardless of why you’re doing it.
*Note: one way to get a good feel for what exceptions you need for critical school needs is to set up the firewall such that it does not block anything, but logs everything, then let it run for a week and go through the logs to review all non-HTTP traffic to see what else the school is doing. Even if you think you know all the critical needs, this would be a good sanity check to make sure you didn’t forget anything that’s going to cause a problem when you flip the switch.