Need free solution to block internet access on desktop machine to only allow one site?

Discussion in 'Windows Server' started by David Lewis, Jul 7, 2004.

  1. David Lewis

    David Lewis Guest

    We got a problem user and we need to block Internet access on that machine.
    The problem is the user needs access to www.usps.com and that's it. Another problem
    is we have an active directory domain so messing with dns does not seem to be
    an option. A proxy server is not an option at this time either.
     
    David Lewis, Jul 7, 2004
    #1
    1. Advertisements

  2. 1) Do it in the firewall?
    2) Give the individual warnings that he/she will be terminated if it
    persists?

    Got to ask: who is in charge, the problem employee or the company? ;-)

    Tom

    | We got a problem user and we need to block Internet access on that
    machine.
    | The problem is the user needs access to www.usps.com and that's it.
    Another problem
    | is we have an active directory domain so messing with dns does not seem to
    be
    | an option. A proxy server is not an option at this time either.
     
    Tom Pepper Willett, Jul 7, 2004
    #2
    1. Advertisements

  3. If you know the IP address and subnet mask for www.ups.com, you could
    configure the user's machine with a static route and no default gateway.

    Doug Sherman
    MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
     
    Doug Sherman [MVP], Jul 7, 2004
    #3
  4. David Lewis

    Don Varnau Guest

    Don Varnau, Jul 7, 2004
    #4
  5. Arek Iskra [MVP], Jul 7, 2004
    #5
  6. Oops... must be the synchronization time difference, as I didn't see your
    post earlier :)
     
    Arek Iskra [MVP], Jul 7, 2004
    #6
  7. Oops... must be the synchronization time difference, as I didn't see your
    post earlier. Nevertheless, we both thought of the same solution, amazing :)
     
    Arek Iskra [MVP], Jul 7, 2004
    #7
  8. What if this user installs a third-party web browser?

    My vote goes on Doug's suggestion.
     
    Kristofer Gafvert, Jul 7, 2004
    #8
  9. David Lewis

    David Lewis Guest

    firewall no not what I am going to do, but it does raise a few questions.
    Say I did filtering at the firewall I would have to maintain a separate username/password database
    then what is in active directory? If I used a radius server how can I sync active directory with a radius
    server. How do I run a radius server anyways. I have thought about this before in the past and have
    wondered about it.

    As far as termination, well there is politics and legal issues that make termination difficult. The owners
    would just rather remove it all together.

    There is also another issue but this may be a topic for a different group. But what about joke email
    filtering. I am totally against this but apparently this has been a problem in the past with this employee.
    So they have asked me about joke email filtering for this employee only. We are upgrading to a
    2003 exchange server in the very near future. What kind of filtering options are there for this situation?

    "Tom Pepper Willett" <>
    |>1) Do it in the firewall?
    |>2) Give the individual warnings that he/she will be terminated if it
    |>persists?
    |>
    |>Got to ask: who is in charge, the problem employee or the company? ;-)
    |>
    |>Tom
    |>
    |>|>| We got a problem user and we need to block Internet access on that
    |>machine.
    |>| The problem is the user needs access to www.usps.com and that's it.
    |>Another problem
    |>| is we have an active directory domain so messing with dns does not seem to
    |>be
    |>| an option. A proxy server is not an option at this time either.
    |>
     
    David Lewis, Jul 7, 2004
    #9
  10. David Lewis

    David Lewis Guest

    David Lewis, Jul 7, 2004
    #10
  11. David Lewis

    David Lewis Guest

    David Lewis, Jul 7, 2004
    #11
  12. When a user has a right to install third-party browser, the more likely
    he/she will be able to figure out that default gateway is missing. But as
    long as users are not members of Administrators group, that should work
    great!
     
    Arek Iskra [MVP], Jul 8, 2004
    #12
  13. David Lewis

    David Lewis Guest

    users do not have local admin rights nor the skills to get a 3rd-party browser and load it.
    But changing the default gateway would render all Internet access not working.

    "Arek Iskra [MVP]" <>
    |>When a user has a right to install third-party browser, the more likely
    |>he/she will be able to figure out that default gateway is missing. But as
    |>long as users are not members of Administrators group, that should work
    |>great!
     
    David Lewis, Jul 8, 2004
    #13
  14. This will work:

    1. On the workstation, manually configure TCP/IP with no default gateway.
    Block the user from access to these settings.

    2. execute the following command:

    route -p add 153.2.224.50 MASK 255.255.255.255 <IP address of gateway>

    Doug Sherman
    MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
     
    Doug Sherman [MVP], Jul 10, 2004
    #14
  15. Oops - sorry I thought it was ups.com - the IP address for usps.com is:

    route -p add 56.0.134.24 MASK 255.255.255.255 <IP address of gateway>

    Doug Sherman
    MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
     
    Doug Sherman [MVP], Jul 10, 2004
    #15
  16. David Lewis

    David Lewis Guest

    I am unfamiliar with the route command
    Will it remain between logins or do I need to do run it each time the user logins?
    Is a route table held in a text file some place? Say I want to add a few other sites
    do I have to enter a route for each site? Can I modify the routes remotely on a system?

    "Doug Sherman [MVP]" <>
    |>Oops - sorry I thought it was ups.com - the IP address for usps.com is:
    |>
    |>route -p add 56.0.134.24 MASK 255.255.255.255 <IP address of gateway>
    |>
    |>Doug Sherman
    |>MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
    |>
    |>|>> too restrictive.
    |>> I need to do www.usps.com and everything in that domain.
    |>> But every single page pops up and says enter password.
    |>>
    |>> "Arek Iskra [MVP]" <>
    |>> |>Check out this:
    |>> |>http://support.microsoft.com/default.aspx?scid=kb;en-us;q267930
    |>> |>
    |>> |>It was written for IE 5.5, but works on version 6 as well.
    |>>
    |>
     
    David Lewis, Jul 12, 2004
    #16
  17. Doug Sherman [MVP], Jul 13, 2004
    #17
  18. David Lewis

    David Lewis Guest

    ok I got this now to work. But I am having problems getting windowsupdate to work properly.
    Is there a way to allow 207.46.*.* to route to the gateway?


    rem *** Microsoft.com
    route -p add 207.46.250.119 MASK 255.255.255.255 192.168.0.1
    route -p add 207.46.244.188 MASK 255.255.255.255 192.168.0.1
    route -p add 207.46.250.184 MASK 255.255.255.255 192.168.0.1
    route -p add 207.46.249.57 MASK 255.255.255.255 192.168.0.1

    rem *** windowsupdate.microsoft.com
    route -p add 207.46.134.90 MASK 255.255.255.255 192.168.0.1
    route -p add 207.46.156.88 MASK 255.255.255.255 192.168.0.1

    rem *** UPS.com
    route -p add 153.2.228.50 MASK 255.255.255.255 192.168.0.1
    route -p add 153.2.224.50 MASK 255.255.255.255 192.168.0.1

    rem *** FedEx.com
    route -p add 199.81.203.50 MASK 255.255.255.255 192.168.0.1

    rem *** USPS.com
    route -p add 56.0.134.24 MASK 255.255.255.255 192.168.0.1

    @Echo Routes set to limit internet access

    @Echo Make sure to manually configure TCP/IP with no default gateway.



    "Doug Sherman [MVP]" <>
    |>Oops - sorry I thought it was ups.com - the IP address for usps.com is:
    |>
    |>route -p add 56.0.134.24 MASK 255.255.255.255 <IP address of gateway>
    |>
    |>Doug Sherman
    |>MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
    |>
    |>|>> too restrictive.
    |>> I need to do www.usps.com and everything in that domain.
    |>> But every single page pops up and says enter password.
    |>>
    |>> "Arek Iskra [MVP]" <>
    |>> |>Check out this:
    |>> |>http://support.microsoft.com/default.aspx?scid=kb;en-us;q267930
    |>> |>
    |>> |>It was written for IE 5.5, but works on version 6 as well.
    |>>
    |>
     
    David Lewis, Jul 14, 2004
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.