HOSTS file is a Windows feature. UEFI has its own network stack not depending on OS. That's why it can download latest firmware even without booting into any OS. You need to block the sites on the router and that might require a decent router with firewall capability.
So...if I disable the network stack in my BIOS settings does that mean UEFI couldn't use it either, before the OS has installed it's stack? not that that's anymore helpful since I'm most worried about this after a CMOS reset or BIOS update should I forget to disable those things. I'll suppose I could unplug the RJ-45 plug until BIOS is set up again after one of those.
Also, I thought that was only to allow unattended push-installs on a managed network which doesn't (exactly) apply to me as a home user. But considering how shady GB and Asus are with this, I can see them using that back door to push something into my system anyway. I can just imagine my PC turning on in the middle of the night to install something they sent out without asking me. I always disable those features (Wake-On-Lan, Network Stack, etc.) in BIOS; before it was a matter of principle but now there appears to be a very real threat potential.