Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restricting Web Site Access

Status
Not open for further replies.
rr236

rr236

IS-IT--Management
Oct 23, 2000
37
0
0
GB
Hi,

Here's a question that I can't find an answer to in any of the forums.

Is it possible to have MS Internet Explorer, or Netscape navigator, only allow access to a list of sites given in a pre-determined file stored either locally or on a shared drive.

Thanking you in advance
RR236
 
Sort by date Sort by votes
Yes, you can enable the firewall to only allow outgoing/incomming connections form the IP addresses of those selected sites. --Sapient2003 - sapient@sapient2003.com
"The worst insecurity is beleiving you are too secure."
 
Upvote 0 Downvote
Not to sure that this approach will work as web sites share IP addresses?

Ideally there should be a file or database which simply holds the web site names that are authorised and this should be used by IE (or NS) to verfiy that the site can be accessed.

The reason that I am asking for a solution to this problem is because I am trying to convince a customer that access to the internet can be controlled in such a way as to ensure that employees do not abuse the access. He doesn't want to even offer the chance of abuse to his employees. It seems that all the security offered tends to work on the basis of allowing the abuse to take place and then discovering who done it.

Thanks
rr236
 
Upvote 0 Downvote
RR236:

Check out a product called Surf Control ( It doesn't discover the site THEN block after discovery, it blocks straight out.

The only thing that could beat it was "safewweb" and the CIA has pulled the plug on that so, for now it's safe.

We have used it very successfully.

-Viscereal-
 
Upvote 0 Downvote
There are some good products out there that approach it from the browser point of view.

Have a look at , simplicti locked browser. I found it useful for providing Pc & web security/lockdown.
 
Upvote 0 Downvote
If you are interested in doing this for an enterprise (rather than one or two individual machines), then you should invest in a proxy server, and perform filtering at the proxy itself. You have to block web access from all machines except the proxy in the router or the firewall to make proxies effective.

Take a look at the squid FAQ on access control. Squid will theoretically compile on Win32 and various forms of *nix.


I believe that you can set it up as a deny-all and then only allow connections to specific addresses/domains. Plus, you can pull all kinds of statistics on users' web browsing habits. That may be interesting for your client.

pansophic
 
Upvote 0 Downvote
Thanks to you all.. Once I've found an acceptable solution I'll post it, but keep the ideas coming.

I've got a crazy idea that might work with an open source browser (i.e. as well as a favourites menu, how replacing it with a this is all you can see menu).

Thanks
rr236
 
Upvote 0 Downvote
If you are using a company network there is a very easy solution.
Use a company-Proxy-Server to connect to the internet. With a Product like Wingate (or similar) you are able to log and/or block the Webaccess or restrict the Webaccess to special Websites.
But that Backdoor with Proxies and Firewalls: If a more experienced user connects to a rewebber(may be by IP) then he can fool your security. But the access to the rewebber is logged. I know such a case and the Problem could be solved by firing this person after some warnings.

hnd
hasso55@yahoo.com

 
Upvote 0 Downvote
I appreciate my collegues responses but I think I have a better grasp on what you're looking for. If you want to control viewable web pages at the desktop level you can set IE in kiosk mode. In this mode there are some drawbacks, the entire desktop is not viewable including start menu and desktop icons. Also it is very easy to get past this mode, but you're average user wouldn't know it. Anyone with a "hacker" mentality will figure it out quickly.

If you want to give it a try to see if it suits your needs:

go to start menu
then Run, type iexplore.exe

Then edit the shortcut properties to include the -k switch.
This gets placed in the line on the properties tab that says 'Target'. It should look something like this (with the quotes):

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"-k

Then when you double click this short cut it should start IE in Kiosk Mode.

I hope this helps, if you have any questions e-mail me.
If not then I recommend any of the software previosly mentioned in other posts. Unfortunatly that is really your only other option (on the desktop level).

Tony
 
Upvote 0 Downvote
How would running IE in kiosk mode stop access to unauthorised web sites?

I think that a proxy with URL filtering would be a far better option.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Chris-
I understand what you're suggesting and agree that is a better way to go.
However, I work in an IT department at a University and getting anyone to approve funds for another machine to run as a proxy server is akin to pulling teeth. In addition I have no access to our network servers in, in fact, I don't even know who our Admins are.

I don't know what rr236's situation is, but I, personally, am looking for a similar fix with about 20 machines in our testing and assessment center. Which you'd think would be important enough to warrent their own proxy unfortunately it is impossible to get the money. In my case the solution has to be done at the desktop level of each machine.

And actually since responding to this post I have been reading some white papers on changes in the registry that will accomplish what both rr236 and I need done. (Unfortunately I have only found white papers on Win9x and I run 2000 Pro)
 
Upvote 0 Downvote
Another option you have that is a bit hokey, but is free, is to maintain an internal DNS server for the restricted users. You could then add websites to that DNS server as they are needed. This would work well for an environment that was looking to be very restrictive, but would not work well for one in which they only wanted to restrict porn but allow 95% of "unoffensive" sites. Just an alternative suggestion. If your client wants a full-featured solution, I recommend one of the multitude of firewall/proxy/caching solutions.
 
Upvote 0 Downvote
Jeff-

I am curious, how could I implement your suggestion? I wouldn't need to bring in another server? But what about access to the existing network? Due to the politics involved it is not likely I'd have access to network servers....


Tony
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
175
Shmid
Shmid
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
52
ISDPCMAN
ISDPCMAN
markd885
  • Locked
  • Question
PAC file redirect web page to another gateway
Replies
0
Views
45
markd885
markd885
wrighbr1
  • Locked
  • Question
Cisco ASA 5505 site to site VPN problem
Replies
0
Views
37
wrighbr1
wrighbr1
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
51
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top