I put Neon on a relatives PC for family a few months ago to remotely manage it and his parents want to restrict him to a whitelist of websites.

I have full admin control of the system and he already cannot install anything, but what I don't have is access to their router from here (and their router isn't supported by good open firmware that would let me setup custom DNSMASQ blocks and such).

The problem I've found with all the Ubuntu Help topics related to this subject (dansguardian, dnsmasq, etc) is they are all DNS blockers. All it takes is him getting raw IP addresses (from his phone, a school PC, whatever) to circumvent blocks, or even worse more recently he just grabbed a Chrome VPN addon to circumvent all the filters.

Trying to understand iptables filtering on the subject is like trying to decipher hieroglyphics, though (and I'm not even sure thats a good answer). And I want an easy to access control list so I can add school resources where reasonable, and I don't want corporate IP blocklists because his parents still want him to have access to resources like docs.google.com while not having plus.google.com (and under dnsmasq that was fine, I could just whitelist docs.google.com).

Probably the most fundamental problem is how you can change proxy settings in Chrome or dns settings in NetworkManager so it stops using dnsmasq. If I could get away with an ironclad dnsmasq whitelist he couldn't get around that would be my preferred solution.

If all else fails I guess I could buy them a router that supports LEDE and setup whitelist blocking just for his pcs name in dnsmasq. Just wondering if there is an option in Neon I haven't tried yet to make this work. Its basically a hostile user you want to prevent accessing anything but a limited set of DNS records at the NetworkManager level / above their user account.

You can install proxy server (squid for example) on his pc and forward all outgoing traffic to the proxy using iptables. Most proxy servers support ACLs which let you block all sites except white listed ones.