Keyloggers can be excluded, assuming avast is actually alerting on it. But the problem with keyloggers is that they are not proactive, so you only find out after the fact and you have to actually monitor the what the keylogger reports.
You can add the full path to the file to the exclusions lists:
File System Shield, Expert Settings, Exclusions, Add and avast Settings, Exclusions~~~~
So OpenDNS is one way to go and using the Dashboard function can block categories. However, if they were able to get round your BIOS password, they are likely to get round your OpenDNS logon user name and password if you don't use strong passwords.
~~~~
I would also suggest that you assign them Limited User accounts (limits the damage any malware can do), so they don't have much rights to go snooping round other users areas. That would mean that all users would have to logon with a password (strong not one your boys can guess/hack).
~~~~
Another option is something like Naomi Parental Control software (freeware)
http://www.radiance.m6.net/