How do I block aol, yahoo, msn from being accessed from my network?

Posted on 2004-07-31
Last Modified: 2008-05-29
I have a client who is having a problem with her employees not doing enough work.  They are constantly on aol, yahoo, or msn.  How do I block them from accessing those programs/websites?  She also wants to see if there is a program to see what they are doing on their computer.  She said she can run a report telling her what her employees are accessing.  Is there a program that acts like big brother but she doesn't want her employees to find out.  
She is running XP Pro on 5 machines.  Server is Windows 2000 SP4
Question by:modriven
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 11685562

You didn't specify how you connect to the internet but more that likely you have some sort of routing device that is sharing your internet connection. To block these apps from working you need to close the ports they communicate over.  Find out what ports you need to block (for example AOL Instant Messenger is port 5190) and configure your routers firewall settings to block those ports.

Good Luck!

Expert Comment

ID: 11685613
Te easiet way of doing this (I had to do this) to get a product like ANS (Active Net Steward) this is a firewall and surfcontrol software on where it can block applications this is useful as it can be controled centrally by an administrator.

See link

You can also use applications like McAfee Internet suit installed on the workstation but can't be centrally controlled.

Just blocking ports is not always the soltion as users can use iqc's and configure the port to the proxy or internet port that you have set!!

Hope this helps.


Expert Comment

ID: 11686229
From a previous EE posting:


Seeming all of these will tunnel through port 80 if all other ports are blocked, blocking port 80 isn't going to do much good, as you'll stop web browsing for everybody else....  
You need to block access to the AOL, MSN and Yahoo IP addresses directly.


Preventing IM traffic from leaving the network is also difficult. Like Napster, the major IM clients will work quite hard to find a port to exit your LAN, using HTTP if they have to. AIM needs to connect to the host in order to start up, so blocking traffic to this destination will effectively shut it down. However, at press time, the name com points to the following IP addresses, according to a DNS lookup:

You'll need to block all of these and check for any new servers on a regular basis. Yahoo! Messenger can be blocked in a similar way, by killing off outbound access to the hosts answering to the following names:

Each of the above names resolves out to multiple IP addresses-and, of course, Yahoo! can add new addresses at any time, making it an ongoing battle.

MSN Messenger can be blocked by blocking IP access to the Hotmail network range- through Interestingly, this does not seem to totally block access to Hotmail's Web-based mail service.


Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 11686934
Well... for accessing those web page he could simply modify the c:\windows\system32\drivers\etc\hosts file typing like                                                

and stuffs like that... no?

But if you want real access restrictions and stuffs like that, you should buy a firewall.  I know that Norton Internet Security can restrict access to some sites.  Is it easy to manage... no idea.

Expert Comment

ID: 11687289
I would recommend WinGate (corporate proxy). I'm using it for almost a year now and I'm very happy with it.

Recently I wrote an app which looks for window captions and terminates the application. You need to feed it with keywords like "yahoo", though.

Expert Comment

ID: 11687632
Something of interest:

Expert Comment

ID: 11696786
honestly since yahoo and aol/aim offer "in browser" buddy lists its very hard to block the use of the control module in the browser. for instance you go to each computer uninstall yahoo messenger and aol's aim and even MSN and then set all there user rights to not allow install of programs/applications once they find out this wont work they will just use the "in browser" version now as "steveoh" stated to actully prevent them from useing it all you will need to block the port the ip address host name whatever. what we do at our oganization is block all users from any kind of internet signal with our firewall and then assign users who actully need the internet for productivity a static IP address. Then for your look in tool you can use a freeware called VNC or remote desktop within XP. good luck locking down those users oh by the way there gonna hate you for it but someone has to do the job!

Expert Comment

ID: 11696919
Most of these IM programs can connect to their servers on an arbitrary port, so blocking ports isn't going to help. MSN can connect via HTTP as well (I'm sure others can as well). An easy way that doesn't require installing things on every workstation is to run a proxy server. Then you can block outgoing connections to all ports for everybody except the proxy server, and configure the proxy to disallow access to the IM login servers.

Accepted Solution

jeremytse19 earned 125 total points
ID: 11698930
hi modriven,

from a previous question i answered:

Again I can't vouch for the software, as I have never used it.

Hi Ridek,

The link that I sent you actually talks about blocking the ports / servers that are used to chat. Having said that, the user can simply use another chat program / server / port. So it will require maintenance on your part as servers / ports become usable for messengers. (eg. HTTP wasn't able to be used before .. but now it is).

Another user suggested for XP " run secpol.msc, go to software restriction policies, additional rules, add rules that block ypager.exe (for Yahoo), do the same for other programs like ICQ and so on. Uninstall the program. Even after reinstalled, it will not run.".

However, if the user is smart enough, they can either rename the program, or use other software (such as Miranda or Trillian).

I'm not sure why yahoo and msn are excluded when you disable installs.

If you can't find out why, maybe you might want to consider this or something similar?
I can't vouch for it as I have never used it.

this also might be of interest ...

hope any of this helps in you finding a solution.

Expert Comment

by:Mike R.
ID: 11699909
There are many programs which monitor program access and system usage.  Do some searches on the net to find the best ones.  Altiris, and even Microsoft SMS work well.

A firewall is what is necessary to prevent ports from being used, but AOL allows savvy users to change their connection port, even to use ones like 110, 21 and 23 (outgoing mail, incoming mail and telnet.)

The best course of action is a business policy.  Unless the employees are too many, or too daring, simply state that having AOL on the system is a terminatable offense.  Sucks to have to resort to any of the above, but one does what one must.


Expert Comment

ID: 11731693
I believe routers with integrated firewalls could be something good.  More, I'd have Win2K or WinXP installed on every PCs with restristions applied to every users.  So the only one that could install softwares would be the Admin and for the rest, they would need to ask the admin to install anything.   For sites that don't need installation, you block them in the firewal of the router so it's like invisible to the users.  

Jean-Francois Trepanier
Computer technician, Programmer, Network Admin
BCE Emergis

Expert Comment

ID: 11957999
Symantic has web filtering software that can filter out url's and file types that you may specify. it also enables a proxy that all users must route through in order to get to the web, so the users must login to access the internet. it disconnects the LAN option to disable proxy routing in IE. it works with active directory so you may put users that you want to monitor in a specific OU. you can process timely reports to track users web surfing history. check it out!
ID: 11980324
I have found one of the easiest methods for containing IM clients is to create a DNS entry on your network for each services authentication server.  For example, if Aol IM uses as its authentication server you could set up a record in your DNS server named and point it to a local IP address.

This will not allow the IM client to authenticate as it will not be able to find an actual IM server at or whatever local ip address you have entered.  

Keep in mind though that this will cause an IM outage for all who use that particular DNS server, but to eliminate a particular IM client at your company this should do the trick.

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note:  There are two main ways to deploy InfoPath forms:  Server-side and directly through the SharePoint site.  Deploying a server-side InfoPath form means the form is approved by the Administrator, thus allowing greater functionality in the form. …
When using a search centre, I'm going to show you how to configure Sharepoint's search to only return results from the current site collection. Very useful when using Office 365 with multiple site collections.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question