Not only that, but it's likely that the kids have admin rights on the machine. ZoneAlarm will make it obvious where the block is. IPSec rules are quite a bit harder to trace down, if you don't already know all about them. :-)
Of course, they may very well just switch to a different IM client, then you block the port, back and forth. At some point, you just have to go and physically kick 'em out.