Not to bump an old thread, but I just saw this...
If you want to be a bit covert about it, and have a fair bit of networking and computer skills, you could always set up a proxy server. An old PC with two network cards, a copy of pfSense, and a decent-sized hard drive could probably do what you want.
Squid proxy server (runs on Linux and BSD), set their browsers up to use Squid, and off you go. It keeps logs that you can look at later. If you get fancy with your firewall, you can force them to use Squid (block their computer from making outgoing port 80 connections), or get even sneaker and have your firewall work along with Squid to do transparent proxying.
We used to do this at WinWorld (browser proxy settings + transparent proxy for things that weren't set up/couldn't use proxy servers) and it kept tabs on the general populus of the workforce quite nicely. Then you get into ACLs and block stuff like Facebook to increase productivity and revenue.