Internet access restriction

SiR_dude

SiR_dude

Well-Known Member
Joined
Mar 5, 2004
Messages
3,639
Location
Somewhere in rural Ontario, Canada
Car(s)
2000 Civic SiR
Hey all

need some advice - I have a computer at work that I want to limit internet access to only a few specific sites, and nothing else (think slacker employee that likes to play online games and surf all day). What are my options, on a budget of nothing?

I'm running Win Server 2k3, if that's any help. I've done some brief research, and all I came across is people suggesting third party software, or ISA server, which isn't an option for me :(
 
Best way is to run an Internet proxy probably.

Either that, edit his hosts file and somehow define * to localhost and then the specific sites to their real IPs.
 
SiR_dude said:
Hey all

need some advice - I have a computer at work that I want to limit internet access to only a few specific sites, and nothing else (think slacker employee that likes to play online games and surf all day). What are my options, on a budget of nothing?

I'm running Win Server 2k3, if that's any help. I've done some brief research, and all I came across is people suggesting third party software, or ISA server, which isn't an option for me :(
Click to expand...

Is there a router between the machine and the internet? If there is you can put a rule on the router to prevent the machine from accessing the internet.

If not, you could do as viper suggested and set the hosts file to block everything but a few specific sites.

You could also install a firewall on the machine to prevent access to everything but the sites needed. Windows 2k3 I believe has extended firewall support, even though you may have to turn it on.
 
On my linksys router at home I can block sites.

Either that, or redirect everything to g o a t s e in the system hosts file.
 
Why is third party freeware not an option (assuming one exists since you're technically using it for commercial purposes)?

The hosts file suggestion is easily defeated if the guy you're restricting is any good with computers. They'll just replace it with their own while they're using your computer.

The router option is the best. Its off their computer, so outside their control, and you can do web page filtering on there. If they try and hack into it to remove the restrictions, then it gives you an avenue for firing them without fear of an unfair dismissal suit (assuming Canada has such laws).
 
I agree the router is the best way to go. However if that isn't an option (router doesn't support the functionality) you can also restrict sites on your local DNS server. Just make sure to block port 53 o the router so they can't use another one off the Interweb.
 
scathing said:
The hosts file suggestion is easily defeated if the guy you're restricting is any good with computers. They'll just replace it with their own while they're using your computer.
Click to expand...

Only if they have admin access to the computer, though, right?
 
Flynn said:
Most of the time you can go to a proxy website, people use them all the time at college...
Click to expand...
Except that he couldn't get to the proxy website because all sites but a set list would be blocked...
 
I might also point out that some sites are accessible by IP alone and don't require a name attached to them. A crafty user might use this to circumvent host files and DNS blocking.
 
Thanks for the suggestions - I didn't even think of the hosts file! The computer is just connected to an unmanaged switch, and I don't have a spare router.

Gonna try the hosts file...thanks again.
 
argatoga said:
I might also point out that some sites are accessible by IP alone and don't require a name attached to them. A crafty user might use this to circumvent host files and DNS blocking.
Click to expand...

You could have the PC set to use a proxy located at an address like 192.168.5.98 (i.e. one that doesn't actually exist) for all addresses except the ones allowed.
 
Something that came to me, but, you could make a little pop up show up every time the computer starts saying something like 'This computer is being monitor' or something like that. I bet just by reading that your user will not be willing to do anything non-work related anymore.
Lets just say I worked for a company that used to do that, tho, I have a a feeling they actually did check in.
 
FATMOUSE said:
Only if they have admin access to the computer, though, right?
Click to expand...

Depends on how well you have the machine locked down.

If you're just using the standard user groups that come with Windows, logons in the "User" level can modify it.

If he's not running a router, it doesn't sound like he's come up with custom groups and locked them down properly either.
 
scathing said:
Depends on how well you have the machine locked down.

If you're just using the standard user groups that come with Windows, logons in the "User" level can modify it.

If he's not running a router, it doesn't sound like he's come up with custom groups and locked them down properly either.
Click to expand...

The accounts that users log in with are domain user accounts, so if I recall correctly, they can't modify the hosts file. In any case, this particular user is very computer illiterate, and wouldn't have a chance on earth of figuring that out.
 
..Hope it's OK to bump this..

I ended up using a GPO to assign his specific user account to use a proxy server of good ol' 127.0.0.1, and added the few sites to the exceptions list. Note - the hosts file does not allow the use of wildcards such as *, so no chance to use that to block everything.

Next question - I'd like to implement a method where the user is shown a web page that prompts him to request permission to access the site, and then emails someone else (me) with the web URL and the user's name. Any idea how I can do this? I'm guessing I will have to write some code...
 
SiR_dude said:
Next question - I'd like to implement a method where the user is shown a web page that prompts him to request permission to access the site, and then emails someone else (me) with the web URL and the user's name. Any idea how I can do this? I'm guessing I will have to write some code...
Click to expand...

Yeah, run a webserver somewhere with a website and redirect him there rather than 127.0.0.1.

You set up the web server to allow any domain name to be pointed at it. The PHP script then makes a form, fills in the domain box with the requested domain name, and then when he hits submit, it mail()'s you. Simple code.
 
You must log in or register to reply here.
Top