December 9, 2009 at 5:20 pm #49255
If you are using proxy the sites will be opened, cause traffic will be originated from the ZS itself and not from the hosts, so it needs to be blocked on the OUTPUT chain as well.
If you are not using proxy, please show us the output of the command:
iptables -L -v
iptables -t nat -L -v