The method that we have used at a few different business is content filtering services provided through subscriptions on a business-class firewall. Namely, the ones we have used are Sonicwall firewalls with the Content Filtering service. This is an annual subscription that you have to pay, but given the complexity of other solutions and the investment that might have to be made into routers and servers necessary to make it work, it ends up being a great value.
Sonicwall content filtering service works with configuring the firewall with different content filtering policies (you can have multiple for different networks or segments of your network as needed.) Instead of having huge long lists of allowed or blocked websites (called whitelists) it is category based. There's just a list of different categories of websites that you can check to block if you wish (such as pornography, violence, hacking, social media, etc.) The benefit with this is you don't have to be updating any lists or adding anything special to do, just select the category and done. There's also not a simple DNS change to bypass this as with OpenDNS, because it is a running service on your gateway regardless of DNS. It has worked wonderfully at all of the offices we have used it.