How do I block aol, yahoo, msn from being accessed from my network?

I have a client who is having a problem with her employees not doing enough work.  They are constantly on aol, yahoo, or msn.  How do I block them from accessing those programs/websites?  She also wants to see if there is a program to see what they are doing on their computer.  She said she can run a report telling her what her employees are accessing.  Is there a program that acts like big brother but she doesn't want her employees to find out.  
She is running XP Pro on 5 machines.  Server is Windows 2000 SP4
Who is Participating?
jeremytse19Connect With a Mentor Commented:
hi modriven,

from a previous question i answered:

Again I can't vouch for the software, as I have never used it.

Hi Ridek,

The link that I sent you actually talks about blocking the ports / servers that are used to chat. Having said that, the user can simply use another chat program / server / port. So it will require maintenance on your part as servers / ports become usable for messengers. (eg. HTTP wasn't able to be used before .. but now it is).

Another user suggested for XP " run secpol.msc, go to software restriction policies, additional rules, add rules that block ypager.exe (for Yahoo), do the same for other programs like ICQ and so on. Uninstall the program. Even after reinstalled, it will not run.".

However, if the user is smart enough, they can either rename the program, or use other software (such as Miranda or Trillian).

I'm not sure why yahoo and msn are excluded when you disable installs.

If you can't find out why, maybe you might want to consider this or something similar?
I can't vouch for it as I have never used it.

this also might be of interest ...

hope any of this helps in you finding a solution.

You didn't specify how you connect to the internet but more that likely you have some sort of routing device that is sharing your internet connection. To block these apps from working you need to close the ports they communicate over.  Find out what ports you need to block (for example AOL Instant Messenger is port 5190) and configure your routers firewall settings to block those ports.

Good Luck!
Te easiet way of doing this (I had to do this) to get a product like ANS (Active Net Steward) this is a firewall and surfcontrol software on where it can block applications this is useful as it can be controled centrally by an administrator.

See link

You can also use applications like McAfee Internet suit installed on the workstation but can't be centrally controlled.

Just blocking ports is not always the soltion as users can use iqc's and configure the port to the proxy or internet port that you have set!!

Hope this helps.

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

From a previous EE posting:


Seeming all of these will tunnel through port 80 if all other ports are blocked, blocking port 80 isn't going to do much good, as you'll stop web browsing for everybody else....  
You need to block access to the AOL, MSN and Yahoo IP addresses directly.


Preventing IM traffic from leaving the network is also difficult. Like Napster, the major IM clients will work quite hard to find a port to exit your LAN, using HTTP if they have to. AIM needs to connect to the host in order to start up, so blocking traffic to this destination will effectively shut it down. However, at press time, the name com points to the following IP addresses, according to a DNS lookup:

You'll need to block all of these and check for any new servers on a regular basis. Yahoo! Messenger can be blocked in a similar way, by killing off outbound access to the hosts answering to the following names:

Each of the above names resolves out to multiple IP addresses-and, of course, Yahoo! can add new addresses at any time, making it an ongoing battle.

MSN Messenger can be blocked by blocking IP access to the Hotmail network range- through Interestingly, this does not seem to totally block access to Hotmail's Web-based mail service.


Well... for accessing those web page he could simply modify the c:\windows\system32\drivers\etc\hosts file typing like                                                

and stuffs like that... no?

But if you want real access restrictions and stuffs like that, you should buy a firewall.  I know that Norton Internet Security can restrict access to some sites.  Is it easy to manage... no idea.
I would recommend WinGate (corporate proxy). I'm using it for almost a year now and I'm very happy with it.

Recently I wrote an app which looks for window captions and terminates the application. You need to feed it with keywords like "yahoo", though.
Something of interest:
honestly since yahoo and aol/aim offer "in browser" buddy lists its very hard to block the use of the control module in the browser. for instance you go to each computer uninstall yahoo messenger and aol's aim and even MSN and then set all there user rights to not allow install of programs/applications once they find out this wont work they will just use the "in browser" version now as "steveoh" stated to actully prevent them from useing it all you will need to block the port the ip address host name whatever. what we do at our oganization is block all users from any kind of internet signal with our firewall and then assign users who actully need the internet for productivity a static IP address. Then for your look in tool you can use a freeware called VNC or remote desktop within XP. good luck locking down those users oh by the way there gonna hate you for it but someone has to do the job!
Most of these IM programs can connect to their servers on an arbitrary port, so blocking ports isn't going to help. MSN can connect via HTTP as well (I'm sure others can as well). An easy way that doesn't require installing things on every workstation is to run a proxy server. Then you can block outgoing connections to all ports for everybody except the proxy server, and configure the proxy to disallow access to the IM login servers.
Mike R.Commented:
There are many programs which monitor program access and system usage.  Do some searches on the net to find the best ones.  Altiris, and even Microsoft SMS work well.

A firewall is what is necessary to prevent ports from being used, but AOL allows savvy users to change their connection port, even to use ones like 110, 21 and 23 (outgoing mail, incoming mail and telnet.)

The best course of action is a business policy.  Unless the employees are too many, or too daring, simply state that having AOL on the system is a terminatable offense.  Sucks to have to resort to any of the above, but one does what one must.

I believe routers with integrated firewalls could be something good.  More, I'd have Win2K or WinXP installed on every PCs with restristions applied to every users.  So the only one that could install softwares would be the Admin and for the rest, they would need to ask the admin to install anything.   For sites that don't need installation, you block them in the firewal of the router so it's like invisible to the users.  

Jean-Francois Trepanier
Computer technician, Programmer, Network Admin
BCE Emergis
Symantic has web filtering software that can filter out url's and file types that you may specify. it also enables a proxy that all users must route through in order to get to the web, so the users must login to access the internet. it disconnects the LAN option to disable proxy routing in IE. it works with active directory so you may put users that you want to monitor in a specific OU. you can process timely reports to track users web surfing history. check it out!
Derek Schauland (Microsoft MVP)IT ConsultantCommented:
I have found one of the easiest methods for containing IM clients is to create a DNS entry on your network for each services authentication server.  For example, if Aol IM uses as its authentication server you could set up a record in your DNS server named and point it to a local IP address.

This will not allow the IM client to authenticate as it will not be able to find an actual IM server at or whatever local ip address you have entered.  

Keep in mind though that this will cause an IM outage for all who use that particular DNS server, but to eliminate a particular IM client at your company this should do the trick.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.