Good content blocker/site blocker for Vista workstation?

I have a client with a stand alone vista workstation that would like to
block almost all websites from anyone using the laptop. I don't use
workstation level products and this is a case outside my normal scope -
can anyone recommend a product that allows an Admin to setup permitted
sites for "user" level accounts on a vista workstation?


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

on 2/7/09 8:37 AM Leythos said the following:
> I have a client with a stand alone vista workstation that would like to
> block almost all websites from anyone using the laptop. I don't use
> workstation level products and this is a case outside my normal scope -
> can anyone recommend a product that allows an Admin to setup permitted
> sites for "user" level accounts on a vista workstation?
>
>

http://www.netnanny.com/, also call your police state director for advice.

In article <>, says...
> on 2/7/09 8:37 AM Leythos said the following:
> > I have a client with a stand alone vista workstation that would like to
> > block almost all websites from anyone using the laptop. I don't use
> > workstation level products and this is a case outside my normal scope -
> > can anyone recommend a product that allows an Admin to setup permitted
> > sites for "user" level accounts on a vista workstation?
> >
> >
>
> http://www.netnanny.com/, also call your police state director for advice.

How is ensuring workers are not abusing the resources a "Police State"?
If you give people a set of rules and don't do anything to enforce them
you are giving them permission to violate them.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

on 2/7/09 9:52 AM Leythos said the following:
> In article <>, says...
>> on 2/7/09 8:37 AM Leythos said the following:
>>> I have a client with a stand alone vista workstation that would like to
>>> block almost all websites from anyone using the laptop. I don't use
>>> workstation level products and this is a case outside my normal scope -
>>> can anyone recommend a product that allows an Admin to setup permitted
>>> sites for "user" level accounts on a vista workstation?
>>>
>>>
>> http://www.netnanny.com/, also call your police state director for advice.
>
> How is ensuring workers are not abusing the resources a "Police State"?
> If you give people a set of rules and don't do anything to enforce them
> you are giving them permission to violate them.
>

If you don't trust your workers, they will reciprocate. Plus you may
groom a bunch of non-thinking "heil" types that stab each other in the back.

But if you are a server guru, why not configure the PC to connect
through a proxy server and lock it down at the proxy?

http://www.websense.com/content/WebFilter.aspx


John



"Leythos" <> wrote in message news: om...
>I have a client with a stand alone vista workstation that would like to
> block almost all websites from anyone using the laptop. I don't use
> workstation level products and this is a case outside my normal scope -
> can anyone recommend a product that allows an Admin to setup permitted
> sites for "user" level accounts on a vista workstation?
>
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (remove 999 for proper email address)

In article <>, says...
> on 2/7/09 9:52 AM Leythos said the following:
> > In article <>, says...
> >> on 2/7/09 8:37 AM Leythos said the following:
> >>> I have a client with a stand alone vista workstation that would like to
> >>> block almost all websites from anyone using the laptop. I don't use
> >>> workstation level products and this is a case outside my normal scope -
> >>> can anyone recommend a product that allows an Admin to setup permitted
> >>> sites for "user" level accounts on a vista workstation?
> >>>
> >>>
> >> http://www.netnanny.com/, also call your police state director for advice.
> >
> > How is ensuring workers are not abusing the resources a "Police State"?
> > If you give people a set of rules and don't do anything to enforce them
> > you are giving them permission to violate them.
> >
>
> If you don't trust your workers, they will reciprocate. Plus you may
> groom a bunch of non-thinking "heil" types that stab each other in the back.

And if you trust your workers and never check on them you are bound to
be screwed many times.

Many people do just fine with enforced technology constraints, and many
people abuse the network resources when they have only WORDS to restrict
them.

> But if you are a server guru, why not configure the PC to connect
> through a proxy server and lock it down at the proxy?

There is NO server and no true firewall, this is a stand alone PC that
some people can take home to remote into the office - it's not my
solution, would never do this, but I have to work with what I don't like
sometimes.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

In article <>, says...
> http://www.websense.com/content/WebFilter.aspx

it's not easy to tell if it's a stand alone, workstation type product or
something at the gateway.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

Can you control the laptop's DNS lookups? Not the hosts file,
but the primary and secondary servers? Just thinking out loud
here, but a proxy DNS could function as a whitelist couldn't it?

"Leythos" <> wrote in message
news: om...
>I have a client with a stand alone vista workstation that would like to
> block almost all websites from anyone using the laptop. I don't use
> workstation level products and this is a case outside my normal scope -
> can anyone recommend a product that allows an Admin to setup permitted
> sites for "user" level accounts on a vista workstation?
>
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (remove 999 for proper email address)

on 2/7/09 4:33 PM Leythos said the following:
> In article <>, says...
>> on 2/7/09 9:52 AM Leythos said the following:
>>> In article <>, says...
>>>> on 2/7/09 8:37 AM Leythos said the following:
>>>>> I have a client with a stand alone vista workstation that would like to
>>>>> block almost all websites from anyone using the laptop. I don't use
>>>>> workstation level products and this is a case outside my normal scope -
>>>>> can anyone recommend a product that allows an Admin to setup permitted
>>>>> sites for "user" level accounts on a vista workstation?
>>>>>
>>>>>
>>>> http://www.netnanny.com/, also call your police state director for advice.
>>> How is ensuring workers are not abusing the resources a "Police State"?
>>> If you give people a set of rules and don't do anything to enforce them
>>> you are giving them permission to violate them.
>>>
>> If you don't trust your workers, they will reciprocate. Plus you may
>> groom a bunch of non-thinking "heil" types that stab each other in the back.
>
> And if you trust your workers and never check on them you are bound to
> be screwed many times.
>
> Many people do just fine with enforced technology constraints, and many
> people abuse the network resources when they have only WORDS to restrict
> them.
>
>> But if you are a server guru, why not configure the PC to connect
>> through a proxy server and lock it down at the proxy?
>
> There is NO server and no true firewall, this is a stand alone PC that
> some people can take home to remote into the office - it's not my
> solution, would never do this, but I have to work with what I don't like
> sometimes.
>

If you could remove IE and Outlook that would be were to start. Then
the person could only IPSEC/SSL into corporate net where its network
policy is enforced.

FromTheRafters wrote:

> Leythos wrote ...
>>
>>I have a client with a stand alone vista workstation that would like to
>> block almost all websites from anyone using the laptop. I don't use
>> workstation level products and this is a case outside my normal scope -
>> can anyone recommend a product that allows an Admin to setup permitted
>> sites for "user" level accounts on a vista workstation?
>
> Can you control the laptop's DNS lookups? Not the hosts file,
> but the primary and secondary servers? Just thinking out loud
> here, but a proxy DNS could function as a whitelist couldn't it?

That's how OpenDNS works (if you open a [free] account with them).
Rather than have the router configured to use the ISP's DNS server (via
DHCP), configure it by entering the IP addresses for OpenDNS' DNS
servers.

However, it is likely that the user gets a dynamic IP address for their
host (or their router) from their ISP. The OpenDNS account has to know
which IP address is yours to know the settings for which account to
apply to traffic from that IP address. They have their own reporter
client (or you can modify the one from DynDNS if you happen to also use
them to provide an IP name for external access to your router or host so
you don't need, for example, an IP address to use Remote Desktop or
VNC). You run their reporter client on one of your hosts in your
intranet (i.e., on the LAN side of your router). It will report the
router's WAN-side IP address to OpenDNS to update your account with
them. Then when your router connects to them, it sees that IP address
and knows to apply your account's settings to its traffic. Settings
include blacklisting of domains and blacklisted categories.

Alas, OpenDNS lets you filter out domains or categories of them but does
not let you filter in a particular whitelist of okay domains. You can
filter by:

Always block (a domain)
Never block (a domain)
Block by category

I have not tried using wildcards to specify a domain, so I don't know if
you could "Always block *" and then whitelist by "Never block <domain>".
If that works, you would end up blocking all domains except those you
whitelisted using the "Never block" rule. Of course, you could open a
support ticket to ask them if the above method works to provide a
filter-in only scheme, plus they have forums where you can ask.

A caveat is that this is blocking at the DNS server. That means there
actually has to be a DNS lookup. If the user enters an IP address, as
in http://96.6.126.19 (for www.intel.com), then there is no DNS lookup
required. This is how a user can bypass this DNS filtering. However,
often that only lets them get to the home page of a site and often there
is content missing in that home page and they may not be able to use any
links of that home page to navigate to other pages in the site. That's
because many of the links or linked content will still have IP names in
them that require a DNS lookup. Also, the user must somehow already
know the IP address of the target host.