The premise: Old Samsung laptop (40GB HDD, 700Mg RAM) is being repurposed for use by a 9-year old with very little experience of using the internet.
Better safe than sorry, I went all out. Debian runs very decently on the decrepit machine and I used tinyproxy to block everything apart from wikipedia.org – details below. Short of that, I just removed the Chat software and the Epiphany browser (I set up Iceweasel to go through tinyproxy) and it looks safe enough!
Reference links for tinyproxy:
Excerpts of /etc/tinyproxy.conf:
Content of /etc/tinyproxy/filter: