Need a cheap and effective method to control Internet access

[kmcferrin]

We are running a Windows 2000 AD/domain, and I need to be able to control users' Internet access. Probably 90% of our 500 users have no need to access the Internet at all, though we do use browser-based applications that require IE to work correctly. I need to implement a system that will allow me to restrict access to the Internet based on who is logged in, regardless of which workstation they are using. The system should be fairly easy to implement, and preferably be Windows based. Also, it needs to be fairly inexpensive. We do not require firewall protection (already have hardware firewalls) and at the moment we don't need to do much in the way of content filtering.

Ideally I would like to be able to separate my users into three groups:

1. Those who need unrestricted access to the Internet.
2. Those who need access to only a specific few Internet sites (whitelisted).
3. Those who do not need access to the Internet at all.

Does anybody have any recommendations?

 

[Grenage]

Microsoft ISA sounds like it would satisfy your needs, it's not exactly cheap though.

I have the same situation as you where I work; most need no access at all, a few need total access (bar a few sites) and the rest have a whitelist. At the moment we are using 'Proxy Server II' but it is a little limited and some hacking was required to fulfill all of our requirements. There are major issues with the ProxyII client and AD/XP machines so we will be moving up to ISA ourselves.

Still, for £20 it has done well over the last 3 years.

 

[kmcferrin]

Does ISA require a client component? Ideally it would just sit as a proxy with addresses auto-populated by group policy or some other method.

 

[Grenage]

I believe it does if you wish to use the Socks element of it, for basic http proxying you wouldn't need it.

 

[buddafish]

you can pass down the proxy info via group policy.

user config --> windows settings --> internet explorer maintenance --> connection --> proxy settings.

we use this applied at the OU level for those users going out via the ISA server.

you do not have to install the ISA firewall client on each machine if that is what you are asking. the proxy works based on pointing http traffic to the ISA address / port.

ISA can be installed as proxy only , firewall only or both.

scottie

 

[F1lby]

Yes, group policies sounds good.
Ensure all clients are non routable.
Then the users that require net access should be in a separate OU with a policy to redirect their browsers via the proxy of your choice.

You could build a couple of squid proxy boxes on an old P300 or similar.

The users who require access to just a few sites could have their own policy set up and their own proxy.

Regards

Phil B

 

[kmcferrin]

That sounds like it's really more complicated than it needs to be.

I know this is a very old thread, but we have found a solution or two that seems to work. We were shopping around for a new enterprise antivirus solution and it turns out that many of those suites now include a web proxy for actively scanning http and fttp traffic. The proxies also allow you to do a moderate amount of access control and content filtering, so we should be set. Right now the two products in the running are Symantec's and Trend's.

 

[filland]

Maybe you would want to look into Freeproxy, I use it(lan 100pc´s) and it does all of these above.
Give it a try , who knows you might like it and above all it´s free..