Blocking ALL Websites Accept 2

[ringfinger]

So heres my problem - we have a 'security' department at my work which basically all they do is sit around and surf the net all day and don't really do any work. The director of the department wants to block ALL websites accept our local intranet website and a news site. I've been playing around with IE's Content Advisor and blocked *.com, *.net, *.org etc and allowed the 2 websites he'd like to be accessed. It seems to be working flawlessly, blocking everything. Is content advisor a tried and true way to block sites? I've looked at trying to find workarounds on hacking the supervisor password but to do it they would either need to go into the registry (which they don't have access to) or install some cracking app (which they also have no access to).

I need to block all sites as transparently, quickly and non invasive as possible. I'd prefer not to have to install any software on the machine but will look at options. Originally I was going utilize the host file until the director came back and said that he wanted ALL sites blocked.

Any advice or solutions are welcome!

[eyeball]

how many client pcs do you have to do this for?

one way i can think of is to not specify a DNS server on client pcs and give them 2 shortcuts;

1 for the intranet

1 for the news site (by ip address)

the practicality of this would all depend though on how many clients you are doing this for

thanks

[ringfinger]

Thanks for the suggestion... I'm only having to do this on 2 machines in the network. It could go up to around 5 or so at some point. I'm liking the Content Advisor though... it seems to be doing a superb job. Ohh... the poor security guards... what ever will they do now?!

They will still need their DNS info for remote printing and other application uses.

[bledd]

if they've got half a brain, they'll use portable firefox

[ringfinger]

Hahaha... yeah... Fire what? Porta what? USB what?

[DigeratiPrime]

wont matter if they dont know how to manually set DNS. or have an IP sheet

[ringfinger]

And they don't.. and couldn't modify it even if they did. They're locked down... DigeratiPrime... do you think Content Advisor is a good way to tackle this?

[rendrag]

it's probably as good as you'll find for tackling that issue

[cluberti]

Content advisor is meant to block a site by content, not by page, but it can work for the most part. A better way to do it would be to install a proxy server and force everyone to use that, but content advisor will work on a small scale without too many problems. There's even a KB on it:

http://support.microsoft.com/kb/310401

[ringfinger]

Yup, put the KB to use earlier... thanks for the link. I would use the proxy idea however they will still have to connect to our network's proxy due to the 2 pages that are still required. Alrighty then! Well... thanks fo all the suggestions, tomorrow the hammer is coming down! Muahahaha... gotta love being an admin

[ringfinger]

For anyone that's interested the Content Advisor is working like a charm! The only issue was with certain apps that had to access the web in the background for certain things, I had to allow the sites they were accessing. I guess I just didn't think it would be an issue since IE wouldn't be 'open' per se. Anyways... all the security guards are royally p***ed!! Haha

[LLXX]

I would definitely go with the proxy method, i.e. force all Internet traffic through the filtering proxy. Anything client-side is quite easily defeated if your users have the knowledge (and even filtering proxies can be, with even more knowledge... )

[ringfinger]

Well, first of all there's nothing to worry about with the whole knowledge thing.. these guys are "rent-a-cop" security guards with no basically computer skills. And as I said before I can't redirect them through another proxy as they have to connect to our network proxy to perform other tasks and run certain apps.

[cluberti]

Since there are some "issues" with https: sites and content advisor / parental controls, you should consider using a proxy.pac file as the autoconfiguration address, and that'd allow you to lock things down even further. Information on proxying in Internet Explorer, configuration of proxy based on configuration scripts, and specific information on .js or .pac proxy files in Internet Explorer can be found at the following URLs:

http://www.microsoft.com/technet/prodtechn...k.mspx?mfr=true

http://www.microsoft.com/technet/prodtechn...s.mspx?mfr=true

http://www.microsoft.com/mind/0599/faq/faq0599.asp

http://wp.netscape.com/eng/mozilla/2.0/rel...proxy-live.html

http://java.sun.com/j2se/1.4.2/docs/guide/...xie_config.html

A sample proxy .pac file that allows traffic to local LAN sites (for example, http://localsite), allows https traffic to all pages at mail.yourcompany.com, but blocks all other traffic (including all other http and https traffic) is listed below:

//beginning of file

   function FindProxyForURL(url, host)
   {
	 if (isPlainHostName(host))
		 return "DIRECT";
		   else
	 if (shExpMatch(host, "https://mail.yourcompany.com", "*/*"))
		 return "DIRECT";
		   else
	 if (url.substring(0, 5) == "http:")
		 return "PROXY 127.0.0.1:4321";
		   else
	 if (url.substring(0, 4) == "ftp:")
		 return "PROXY 127.0.0.1:4321";
		   else
	 if (url.substring(0, 7) == "gopher:")
		 return "PROXY 127.0.0.1:4321";
		   else
	 if (url.substring(0, 6) == "https:")
		 return "PROXY 127.0.0.1.4321";
		   else

		 return "PROXY 127.0.0.1:4321";
   }

//end of file

The proxy file above simply displays a “page could not be displayed” error page when a page that is disallowed by the proxy is attempted (in the above case, this would be anything that is not local LAN traffic or https traffic to mail.yourcompany.com).

If you wish to redirect the user, or display a custom error page, you must have a proxy web server running at the address after the “PROXY” line, and at the port specified (can be any port, I used 4321 as an example).

[ringfinger]

Thanks for the info cluberti. As of now we are utilizing a proxy.pac file on our network... I wonder if i could just edit it to fit the needs of these particular boxes. I know nothing about creating/modifying them, but for the most part understand what you've posted in code.