Re: Blocking Sites in IE8 On

TheScullster wrote:

> Hi all
>
> In a corporate environment with mainly XP but some Windows 7 clients.
>
> Using AD via Windows 2008 R2 domain controller.
>
> The question is, what are my options for blocking the use of individual web
> sites e. g. facebook?
> The PCs go straight out via a router/firewall and do not use a proxy.
>
> Presumably I could exclude the sites within the firewall rules.
> The firewall is managed by an outside agency, so getting simple web site
> blocks is a bit of a pain.
>
> There also appears to be a content advisor jobbie within IE8, but this seems
> very fussy to setup (particularly for a number of users).
>
> Any pointers gratefully received.
>
> Phil

Block unwanted target sites by their hostname in your DNS server. When
the user enters the hostname for the target site (www.facebook.com),
your DNS server returns a link to an error or forbidden page.

There are entire huge web censoring services for this, like WebSense, if
you don't want to do it yourself. On the cheap side, you could get a
free OpenDNS account and configure all your workstations to use it for
DNS services (hostname to IP address lookup). In a free account, you
can specify up to 50 domains to block (you can block by host but you'll
probably want to block the entire domain). The paid accounts let you
define more blacklisted domains.

If you don't want to push a TCP/IP reconfigure onto all your
workstations so they use OpenDNS (or to prevent users from altering the
TCP/IP config regarding DNS), have your gateway or router host specify
to use it for DNS lookups, and then configure the gateway or router to
forward (fail) the DNS lookups to OpenDNS. If users can alter their
workstation's TCP/IP config regarding DNS, make sure your gateway or
router rejects any port 53 traffic that doesn't go to whatever DNS
server you want to use. They either use the company's authorized DNS
server or they don't get nameserver lookup services at all.

"VanguardLH" <> wrote in message
news:j4dvrq$180$...
> TheScullster wrote:
>
>> Hi all
>>
>> In a corporate environment with mainly XP but some Windows 7 clients.
>>
>> Using AD via Windows 2008 R2 domain controller.
>>
>> The question is, what are my options for blocking the use of individual
>> web
>> sites e. g. facebook?
>> The PCs go straight out via a router/firewall and do not use a proxy.
>>
>> Presumably I could exclude the sites within the firewall rules.
>> The firewall is managed by an outside agency, so getting simple web site
>> blocks is a bit of a pain.
>>
>> There also appears to be a content advisor jobbie within IE8, but this
>> seems
>> very fussy to setup (particularly for a number of users).
>>
>> Any pointers gratefully received.
>>
>> Phil
>
> Block unwanted target sites by their hostname in your DNS server. When
> the user enters the hostname for the target site (www.facebook.com),
> your DNS server returns a link to an error or forbidden page.
>
> There are entire huge web censoring services for this, like WebSense, if
> you don't want to do it yourself. On the cheap side, you could get a
> free OpenDNS account and configure all your workstations to use it for
> DNS services (hostname to IP address lookup). In a free account, you
> can specify up to 50 domains to block (you can block by host but you'll
> probably want to block the entire domain). The paid accounts let you
> define more blacklisted domains.
>
> If you don't want to push a TCP/IP reconfigure onto all your
> workstations so they use OpenDNS (or to prevent users from altering the
> TCP/IP config regarding DNS), have your gateway or router host specify
> to use it for DNS lookups, and then configure the gateway or router to
> forward (fail) the DNS lookups to OpenDNS. If users can alter their
> workstation's TCP/IP config regarding DNS, make sure your gateway or
> router rejects any port 53 traffic that doesn't go to whatever DNS
> server you want to use. They either use the company's authorized DNS
> server or they don't get nameserver lookup services at all.

Thanks Mayayana and Vanguard

I had a feeling there would be a number of options to this perennial problem

Phil

| I had a feeling there would be a number of options to this perennial
problem
|

There's also another approach, though it may not
be something that fits your situation:

IE has always been designed to be deeply tied into
Windows and aimed primarily at corporate use. (Which
is also a big part of why it's such a disaster for personal
use.) Part of that design applies to what you want to
do. If you want to write or find the right software,
you can control IE internally. Microsoft created mime
filters and protocol handlers for the purpose. They're
COM libraries that plug in to the IE process directly.

http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx

A protocol handler handles
getting the actual data for a specific protocol (http:,
ftp:, res:, file:, etc.) Urlmon.dll is the default protocol
handler, but replacing it with your own only requires
a Registry edit. Your handler would then have the task
of carrying out the server conversation to download
files, and handing them off to IE. In the process you
can do whatever you like. Facebook.com can return
a picture of Donald Duck or the front page of BBC news.
You have total control.

A mime filter is similar to a protocol handler but it
sits in between the protocol handler and IE, handling
content-type rather than protocols. If a mime filter is
registered for a content type (official "content-type"
names like "text/html") then any conforming download
that comes through the protocol handler will be passed
to the mime filter, which acts as a middleman. In the
case of text/html that means webpages. The mime filter
also has total control. It gets the file bytes from the
protocol handler and passes them to IE. Two chances to
turn facebook.com into Donald Duck!

Protocol handlers and mime filters may be more than
you want to take on, but I wouldn't be surprised if
there's something like that commercially available. There
must be lots of companies that need to do just what
you're doing.

Mayayana wrote:

>| I had a feeling there would be a number of options to this perennial
> problem
>|
>
> There's also another approach, though it may not
> be something that fits your situation:
>
> IE has always been designed to be deeply tied into
> Windows and aimed primarily at corporate use. (Which
> is also a big part of why it's such a disaster for personal
> use.) Part of that design applies to what you want to
> do. If you want to write or find the right software,
> you can control IE internally. Microsoft created mime
> filters and protocol handlers for the purpose. They're
> COM libraries that plug in to the IE process directly.
>
> http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx
>
> A protocol handler handles
> getting the actual data for a specific protocol (http:,
> ftp:, res:, file:, etc.) Urlmon.dll is the default protocol
> handler, but replacing it with your own only requires
> a Registry edit. Your handler would then have the task
> of carrying out the server conversation to download
> files, and handing them off to IE. In the process you
> can do whatever you like. Facebook.com can return
> a picture of Donald Duck or the front page of BBC news.
> You have total control.
>
> A mime filter is similar to a protocol handler but it
> sits in between the protocol handler and IE, handling
> content-type rather than protocols. If a mime filter is
> registered for a content type (official "content-type"
> names like "text/html") then any conforming download
> that comes through the protocol handler will be passed
> to the mime filter, which acts as a middleman. In the
> case of text/html that means webpages. The mime filter
> also has total control. It gets the file bytes from the
> protocol handler and passes them to IE. Two chances to
> turn facebook.com into Donald Duck!
>
> Protocol handlers and mime filters may be more than
> you want to take on, but I wouldn't be surprised if
> there's something like that commercially available. There
> must be lots of companies that need to do just what
> you're doing.

All that requires pushing a new urlmon.dll onto the company's
workstations. Instead of going through all that work for setup and
hoping their employees don't use LiveCDs to boot an OS that isn't a
company-prepped image or running off the workstations hard disks, I
would think upstream control would be more secure as the employees can't
get access to wherever or on whatever the upstream filtering is applied.
Of course, if you've locked the workstations so they cannot boot from
removable media then you force them to use what's on the hard disk(s)
but you're still hoping your push of files cannot be interferred with by
the employee using your workstation(s). Alas, there are departments
within a company, especially one involved in software development, that
must be granted admin privileges on their hosts, like Development and
QA, and they can undo anything you do via policies or sysprep. So an
upstream scheme is probably more secure and reduces how many nodes in
your network that you have to manage.

| All that requires pushing a new urlmon.dll onto the company's
| workstations.

Not a new urlmon, but yes, it does require installing
something.

| Instead of going through all that work for setup and
| hoping their employees don't use LiveCDs to boot an OS that isn't a
| company-prepped image or running off the workstations hard disks, I
| would think upstream control would be more secure as the employees can't
| get access to wherever or on whatever the upstream filtering is applied.

That makes sense to me. If it's possible to control
the DNS server that also takes care of people using a
non-IE browser. I was just letting the OP know his
options. He was asking about controlling IE, and that's
what these plugins are intended for.

Mayayana wrote:

>| All that requires pushing a new urlmon.dll onto the company's
>| workstations.
>
> Not a new urlmon, but yes, it does require installing
> something.
>
>| Instead of going through all that work for setup and
>| hoping their employees don't use LiveCDs to boot an OS that isn't a
>| company-prepped image or running off the workstations hard disks, I
>| would think upstream control would be more secure as the employees can't
>| get access to wherever or on whatever the upstream filtering is applied.
>
> That makes sense to me. If it's possible to control
> the DNS server that also takes care of people using a
> non-IE browser. I was just letting the OP know his
> options. He was asking about controlling IE, and that's
> what these plugins are intended for.

Alas, just DNS censoring covers when a hostname is used to reference a
site. I don't know the OP's setup but IP address censoring might be
something else to consider implementing in the router or whatever is the
gateway for the workstations. Hopefully the IP addresses for Facebook
(I only see the one 69.171.228.11 for now) don't often change or more
boundary hosts added to their web farm.

OpenDNS, or the company's server, or whatever DNS server gets used by
the workstations, is only one point where censoring can be implemented.
The router or firewall appliance might also permit listing a blacklist
of IP addresses.

A few users might get the IP address of a target host that is blocked
via DNS censorship. They could use some of the web sites providing net
tools to get the IP address in case the nslookup of a hostname results
in just getting back the error or forbidden page's IP address in a DNS
censor setup. Of course, those net tools sites could get blacklisted,
too, but that gets into a lot of maintenance for web sites by hostname
and IP address and when companies start looking at contracting a censor
service, like Websense (I'm sure there are others but this is the one I
got stuck having to circumvent at a couple companies or strive to get
their categories updated).