[atmosx]

Here's what worked for me:

1) Install GNU/Linux, most click adds target windows users.

2) Install an ad-blocker at DNS level. I use a custom variation of this: https://pi-hole.net/ (by default logs DNS requests, mind you. You can disable logging though).

3) Spent some time to educate him on what to avoid online

4) Lastly, I have an RPi running on a VPN exit node (actually I have an RPi cluster, but anyway). When I had an openWRT-based router, I had a script which was fetching porn/torrents/etc. IP addresses and adding routes to the router redirecting connections via VPN.

5) A separate guest network with radius accounting can go a long way into securing your network and help control access (I have a radius RPi server but my APs do not support accounting. I felt kinda screwed when I realised)

[zerognowl]

Put your parents on a VPN, great idea, instead of the other way around where I am the sole VPN user and pay more for my Internet connection because surfing without a VPN just feels weird these days. Also five minutes of OSINT on Google tells me I share my ISP-Issued IP with at least 1000 other paying subscribers, whereas a VPN can run into the millions of users, albeit not all using that VPN-Issued IP at the same time.

[atmosx]

Putting everything behind a VPN might a bit too drastic as it might start disrupting services relying o geolocation for fraud detection etc. But at least some traffic, for many reason, it's better to be shipped via vpn.