I have a block rule that references a list called "Blocked URL Hosts" and have *.netflix.com/* in it.
Rule criteria: URL.Host matches in list Blocked URL Hosts
Action: Block / Setting: URL Blocked
If you just want to block the site entirely, then Kent's solution works great. However, I took the stance of allowing my users to log into Netflix, update their queue, etc. They just can't watch movies. So instead of *.netflix.com/* you can just block: *.netflix.com/WiiPlayer= (at least I think that's what the URL is. Not in front of my console right now, double-check first if you want to go this route.)
You'll have to block on URL, not URL.Host, as the following URL's are used for title browsing and queue management:
Title browsing: http://movies.netflix.com/WiHome
Queue management: http://movies.netflix.com/Queue?lnkctr=mhbqueInstant&qtype=ED
So if you just want to block users from actually watching a movie, use:
URL matches *movies.netflix.com/WiPlayer?movieid=*
which will match: http://movies.netflix.com/WiPlayer?movieid=70143302&trkid=4213507
Also, note that as of mwg 7.1.6 there is Application matching functionality. Enabling "Netflix" blocks the entire site, so this is not an option if you want to permit Queue management.