If they detect (what they consider to be) potentially malicious traffic, the connection gets put in a walled garden to notify the end user.
Is the OP's friend using non-Century link DNS? Wondering if it could be as simple as an over-enthusiastic detection policy triggering the walled garden. I've no idea how Century Link achieve redirecting to the notification page, but if they simply return the IP of one of their servers, using external DNS servers could easily break that leading to the impression that your internet has dropped out.
As others have said, rebooting the router would likely have acquired a new IP, so effectively cancelling a block.