Comment by anyfoo

I'm less skeptical. OP already mentioned that most things were not encrypted back then, so this was probably still in the days of transparent proxies, so OP could have "just" added one with some ARP spoofing. They were somewhat common in school and office networks, and like regular HTTP proxies (except the transparent ones had the traffic redirected forcefully to them) they essentially consumed HTTP requests and sent new ones out to The Internet. While mostly used for caching and blocking, it seems relatively simple to me that OP could have just replaced e.g. some stylesheets served back to the client.