We had some permission things, so be sure to test it before applying the GPO.
I set up a share called "inet" on \\server for a folder named "inet" (e:\inet... contains common things like the log dirs, italc's key dir).
I created a subfolder for the logs, so now i was at E:\inet\logs (\\server\inet\logs)
I made sure the inet share had permission to browse folder, read, list contents. the "logs" folder had custom permissions for basically full permission, sans-deleting.
Yes, I know this means our little shits could potentially browse around, find the share, and view the browsing logs of every other kid.
But since they can't exactly browse the network without meaningfully wanting to.. and the fact even if they modify their own files (or someone else's), the person's file will become part of their browsing history and therefore be added to their list at logoff... we're not that worried.
We don't tell them how we monitor or what we do, they have no idea it's a bunch of html files somewhere; they simply know we can tell where they've been.
Plus, they've watched me use iTALC, so they assume it's simply all through that, and they can' run it if they wanted to.