As you are both IT people there is no reall way to block this. You need to sit down with him and go over the rules with him. Start writeing him up then send him home with out pay. Once you start screwing with his pay we will ether wise up or find another job.
I myself being head of IT where i work, we use a sonicwall and block the usual stuff plus all social network and youtube. This blocks everyone across the board, for me to get around this i use logmein and remote to my home computer and can lookup anything i want, or set my computer to a static ip address and alow that ip address to get out through the sonicwall. no matter how hard you try there will always be some way around what your trying to do. If you are abe to stump him and block whatever hes looking at then he will spend most of his time trying to find away around what you setup instead of working.