Link to home
Start Free TrialLog in
Avatar of cdubbcisco
cdubbciscoFlag for United States of America

asked on

How can i prevent a computer from accessing the internet

I have 2 questions
HOw can i prevent someone from accessing the internet through a web browser(I.E)
or can i lock it down by user access
these computers are not part of a domain
just workgroup
i believe they are win xp
ASKER CERTIFIED SOLUTION
Avatar of Don
Don
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sugarfreeless
sugarfreeless

you could also configure the router to deny that mac address access.
sure a small percentage of employee's try to circumvent lock down measures, but those statistics are typically taken from large corporations.  Since these systems are not part of a domain I'm guessing not many hackers work there.

I should point out it's only possible to spoof a mac address with admin privs.  Also a quick search on google to bypass steadystate gives any user a quick way to do so.  ;)

If you are looking for a pretty solid solution in which the user does not have access to change or circumvent settings its on the router.
"Also a quick search on google to bypass steadystate gives any user a quick way to do so.  ;)"
 
 
HMMMMM......dont seem to be finding anything for that......strange
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
User configuration|Administrative Templates|Windows Components|Windows Explorer|Disable Windows Explorer's default context menu - in group policy
or local policy in this case ^
I would prefer the quick 60 second configuration of the router versus software installations and local policy changes.  But what ever works for cdubbcisco is fine with me.
By the way, that circumvention doesnt work(even with right click still available)
We each beleive it's possible to circumvent the solutions.
The only differences are my solution is quicker and harder to circumvent for savvy users (providing the OS has a limited user account).

With that I'm leaving it to the thread owner.
Best of luck to you.
I agree with both of you, but some routers will not even allow this type of block.  Most wireless and broadband routers have this capability, but if this is a high end Cisco router then I don't see this in the config.  If this is a layer 3 switch then it is entirely possible.  I am sure that you see the difference between the elegance of a hardware versus a software solution, however I do believe in this case it is much easier to simply point the proxy settings in IE to the local host and then lock the settings down or remove their admin privelages.  If we are speaking of a user that is being removed of all internet access then I seriously doubt that they have admin access to their local machine.  If they do then they of course would be able to bypass this on the user level.

Also, I am sure that you know that a router does not deal with ARP.  It will let the switch do that.  Again, if this is JUST a router then your solution will not work.  Switches deal with the ARP (MAC addresses and LLC) and the router routes the applicable IP packets (Or whatever protocol is being routed).

From a security standpoint, the idea of someone spoofing their IP address is entirely plausible, hence this should be taken under advisement.  Administrative control will most likely not be circumvented unless the user knows the local administrator password.  This should be strong to implement a hardware solution.

HTH
Which basically leads back to my first comment :-)
indeed.
Avatar of cdubbcisco

ASKER

How  could I set the proxy to 127.0.0.1?
thanks
My solution is easly accomplished on a linksys router.
Tools>>>internet options>>>connections>>>lan settings>>>proxy server
Sorry cdubbcisco I didn't see your comment before posting mine.
Yes, on a Broadband router this is the way to go or a layer 3 switch.  In this case I would go with the proxy setting
you should also set under GPEDIT.msc>>>User Config>>>Admin Templates>>>Windows Components>>>Internet Explorer>>>Disable Changing Proxy Settings=ENABLED
I see how to get to this location
Tools>>>internet options>>>connections>>>lan settings>>>proxy server
should i enable that and put an erroneous ip address in here?
I am guessing if i put an address in that will break the access to internet explorer accessing the internet
what is a proxy server?
thanks
Yes, enable it and you would put the erroneous ip address there.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
How about just removing the default gateway on the computer(s) in question? Also, if they are not a member of the local admin group, they would not be able to adjust the properties of the network properties to re-add it.
How about just removing  the ethernet/patch cable??





This would be the perfect solution, unless they have a need for file sharing or accessing network shares, in which a gateway is not required for.
Last 4 comments are most likely moot anyway, as author had already inquired about how to configure the false proxy.


: ^ D
Well at minimum I should get an assist. I agree that the proxy trick will work, the method I mention is, in my opinion, easier and requires the least amount of administrative overhead. I will just sit back and watch the results. May the best poster win. :)
"Well at minimum I should get an assist. I agree that the proxy trick will work, the method I mention is, in my opinion, easier and requires the least amount of administrative overhead. I will just sit back and watch the results. May the best poster win. :)"


LMAO

This aint no contest, and you dont have any established rep.
tools / internet options / connections / lan settings / proxy
This was said multiple times.  

The Author knows how to get there.  This is just an unclosed question.

Thanks for posting.

Please close this question.