You know his machine's internal address, or you can at least find it out, right? This makes it easy:
1) Set up a network analyzer (such as
www.wireshark.org) near the network border and capture all of the packets going out to the Internet.
2) Set up a capture filter to capture all of the traffic from his machine. Configure it with a circular "ring" file buffer of 10 files for 32MB each. This will give you 320MB of traffic to scan through. INcrease even further if you care that much.
3) Start the capture and let it run until it is full (a day?), then turn off the packet capture.
4) Now, go through the packet data. If you see that it is all encrypted and all going to ONE IP address on the outside, then he is probably using an SSL relay or SSL-VPN to perform web tasks.
5) Check the IP address of the machine that he is talking to. Do a TRACERT to that IP address, and note the DNS names that come back. Is the last address something that could be on his home machine (i.e. if you are in CA and the last hop includes a CA address on it)? Is it going somewhere else? Could it just be an Internet radio station streaming data all day long?
Ultimately, I agree with MikeHolcomb. You can spend time on this to determine what he is doing, but the ultimate question is proof, and what you can do about it (and what SHOULD you do about it). Most Internet Usage policies are written as guidelines, with no real enforcement intended. LIke telephone usage, limited use of the Internet at work is expected , especially when people are spending over 1/3 of their days in the office -- they will need to do personal things on company equipment from time to time. The problem is actually about abuse of the priviledge.
Another solution, which many people fail to worry about, is their Internet cache. Take a phot browsing tool and point it at the web browser cache folder on that computer. If you see a bunch of work-related pictures, then I wouldn't sweat it. If you see news-related pictures, then perhaps it is a quest for knowledge. If you see a bunch of stock graphs, then things may be questionable. If you see a bunch of porn, get rid of him!
