Prevent web browsing 1

[kjuenke]

The boss wants me to prevent web browsing to all employees except those who he trusts.

The problem is, with Windows XP Pro, anyone can browse web pages by putting in a web address in Windows Explorer or Outlook's Outlook Today address bar.

Has anyone found a way to prevent this action?

Am I forced to put in a hardware solution at the router connected to our ISP?

Thanks in advance for any suggestions.
Ken Juenke

 

[iSeriesCodePoet]

I believe what we have done here is sent all traffic though a non-existance proxy, this is done in the internet options. Then allowed only used the advanced options to specify "local" addresses that they can access such as a vendors website or something like that.

iSeriesCodePoet
iSeries Programmer/Lawson Software Administrator

http://www.koldark.net

 

[vop]

Most routers can filter out specific MAC addresses (Linksys/Cisco). Such filters enable you to prevent certain PCs on your network from accessing your Internet connection.

You could also reflect a DHCP host range (say starting at 100) also as a filtered range of non-accessing internet restricted IPs. You could then setup static IPs for any 'trusted' computers from (lower) IPs not contained in that DHCP range of addresses.

 

[vop]

From the Linksys manual - Search Term: Filter

Filter IP Address Range

To set up a filter using IP addresses, enter the range of IP addresses you wish to filter in the Start and End fields. Users who have filtered IP addresses will not be able to access the Internet at all. If you only want to filter one IP address instead of a range of IP addresses, enter the same value into both fields. For instance, if you wish to filter the PC with the IP address of 192.168.1.5, enter 5 into both fields on one line: 192.168.1.5 ~ 192.168.1.5.

Filter Port Range

To filter users by network port number, select the protocol you want to filter, TCP, UDP, or Both, in the Protocol drop-down box. Enter the port numbers you want to filter in the Start and End fields. Users connected to the Router will no longer be able to access any port number listed there.

Filter MAC Address

This feature blocks computers with specific MAC addresses from going out to the Internet. For information on obtaining a MAC address, go to “Appendix D: Finding the MAC Address and IP Address for Your Ethernet Adapter.” To set the MAC filter, click the Edit MAC Filter Setting button.

 

[kjuenke]

First of all, thanks for all the positive feedback.

Now, if I prevent all internet access, this would also prevent the clients from getting their Norton Antivirus updates too, right? Then I have to think about all the Microsoft security patches and critical updates. I know I can download those using a computer with internet access and then apply them manually, but that is always more time consuming.

Ken

 

[rn4it]

Not necessarily, you could just filter out tcp ports 80 and 443. Depending on what version you have you can configure an update server which retrieves the updates and them updates the PC's. This way you only have one device going out for the updates. I don't think NAV uses ports 80 and 443, so you should be ok. At least in are implementation it doesn't.

 

[vop]

See the following discusson for another line of attack:

Limiting Internet access on one machine only

 

[Hondy]

have you considered web content filtering?
e.g. websense

http://www.websense.com/

is good