Restricting Internet Access

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi All

I posted a while ago on here regarding my college project. So far all is ok but here is the question.

The office has 12 PCs and only 6 should have internet access and the other 6 email only.

Which is the best way to go about this? I have setup server 2003 standard edition with RRAS and 2 NICs. 1 public and 1 private.

A possible solution I was thinking of was assigning 6 static private IP (DHCP reservations?) and 6 via DHCP and then 1 lot of 6 can have access. Am I going about this the right way? Bit clueless here.

All info appreciated

 

I shall have to try this at some stage!

I will have two or three OU's - such as CAN US, CANNOT US, and SIN Binned

What we do to restrict internet access, but not block if totally is the following:

1. Have a decent HR document in place that spells out how the rules and consequences.
2. Use a combination web and spam filter - we use CA's eSCM product...it is quite common in small gov agencies and colleges etc....though there are others out there to consider.

- a decent web filter is so valuable to an IT dept, the first things to block is adult content, gambling, violence and web mail. {For various sound technical and business reasons}

supa

 

Thanks buddy

Can you advance on that? I have opened a group policy editor mmc on my server. Am i in the right place? And if so what next?

Much appreciated

 

To set proxy settings you need to go to:

User Configuration\Windows Settings\Internet Explorer Maintenance\Connection and set the proxy URL/IP & port in the 'Proxy Settings' entry

To remove a user's ability to alter (or even look at) their proxy settings, the easiest method is to disable access to the 'Connections' tab in IE:

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\ and set 'Disable the Connections Page' to 'Enabled'

Of course, this won't work without a proxy server to point the settings at, and it won't prevent users accessin the net through a different browser...

 

Brilliant but just one thing. The users i want to restrict are already in different OUs. Can I add them to a new one.

Also could i do a policy that restricts them installing other browsers? Probably an apps install restriction eh?

Cheers

 

Cheers for that. But i cannot get the previous advice to work. Everytime i logon to a client with a user from the restricted ie ou the connections tab is still there. Am testing this is virtual pc if that helps.

 

Have you tried a "gpupdate /force"?

Microsoft recommend logging on and logging off for a user policy and restarting the machine for a computer policy. Sometimes, you have to do both!

Boyce

 

Have you never think about squid and squidguard.
You just need a old pc with one or two nic.
I use that in the schools.
The user has to prompt username and password for surf internet
and you can filter by site or by content or by user.
I can give you the ".conf" file if uou need.

 

The missing piece with a spam/web filter is to use a linux gateway/firewall that only accepts port 80 [http] requests from the spam/web filter.

Also there was an interesting thread, of all places at Novell, relating to this issue...

http://www.novell.com/coolsolutions/trench/14544.html

 

Tru dat, although there's no reason it has to be Linux-based. There's a lot of BSD-based O/Ses that are designed specifically for this, and, contrary to popular belief, you CAN lock windows down so that it has a tiny attack surface. Anyone who doesn't believe me should know that I've had an unfirewalled windows box sitting outside my LAN hanging off of a hub sniffing traffic for about six months...

Besides, so long as your Firewall admin knows what they're doing its not too hard to make sure that all outbound access is routed through a single point. Just stick a proxy behind the firewall (Squid would do fine for a small environment - though it can be a pain to manage until you get used to it) and configure the proxy only to be permitted access outbound on port 80, 443 and 8080 (the usual WWW suite)

I've got Squid running on a Windows box at home - don't do anything fancy with it like authentication because its just me and the wife, but its simple to set up and can integrate with AD through Samba if you want to provide integrated proxy authentication

 

OK I get the following GPOs were not applied because they were filtered out. Applied GPOs N/A

Any ideas?

 

Not really sure i know wot u mean there. Sorry im not really up on GPOs.

Cheers

 

Aye buddy that worked. Thanks. Is that it? Or is that applied domain wide?