How do I filter web content?

We have a Netgear router. It allows me to block key words based on words in the DNS name.

I want to be able to block out things like Adult content.  Running Server 2k3,  and server Nt 4.0....

what is the best way to filter out web pages and stop users from going to those sites at my place of employment?

(net nanny isn't an option  <grin> )

Thanks all
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

My recommendations would be either of the two....




I personally like SurfControl better based on demos I've been involved in.

hope this helps.
mrchaos101Author Commented:

Im not seeing a price on there web site for surfcontrol.... this scares me hehee

ALOS please see how our network is setup here:

                                                                   ----------------Server 2003

My PC's use the IP of hte Server2003 for DNS.

Im new to the network game so I just want to test how I understand it here..

PC asks for  --------->goes to Switch------------->Switch sees DNS request and sends the request to the Server 2003------>  Server looks at it and decieds dns asked for is not for our network----------->Forwards request to swithc with a NEW DNS request (useing the DNS server info for my ISP)------Switch sends it to router----------->sends request to ISP.

I know it is rude here but IF you could follow it

I think that is how it works and BECUASE all my internt traffic is going though the 2003 server, I should be able to set up surfcontroll in that PC and it should work correct?

Another option for you is an iPrism appliance. It would go inline between your switch and Firewall, so all traffic literally passes through it.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

mrchaos101Author Commented:
Wow that is neat hehe...

Let me add a few things.  We are small so cost is a HUGE issue.  I am sorta new to networking so It needs to be easy.

It doesn't have to be HUGE and great just effective enough to hold back aobut 20 computers.
None of these solutions are going to be cheap, but I think that the simplicity of the iPrism is awesome, and I have put several of them into operation for clients. WebSense is another great product, but expensive and requires a separate server to run it on, and not every firewall works well with it.

With only 20 users, simple written acceptible use policies that everyone must sign acknowledgement would be a deterent to most employees. Any employee that is caught violating the policy gets a repremand, fired on the spot for downloading adult conent, or "written up" at the very least. The cost is zero $. It won't take long to bring everyone into compliance.

I'm not sure, but you can probably do some simple sort of filtering on the Firewall/Router. Check the manual.

If that isn't enough, put a Proxy Server between the firewall and the rest of your network. If you only need the proxy server to do content filtering you can use a simple, old, phased-out PC as hardware, throw a linux distro on it (free), plus the Squid proxy software, also free and included in most distros. You would of course have to spend some time to get it up and running. Once it is running, you wouldn't have to spend too much time on it anymore.
You can, of course, also use a proxy server as a cache for internet pages. This results in access to cached objects being a lot faster than if they had to be gotten directly from the internet, but this also needs a larger disk and more RAM.
A proxy server keeps a log of the internet activity, so you could analize the surfing habits of the employees. You can also set it up to need authenification, thus only allowing those to surf the web who provide a valid username and Password.
It seems like your PC's have a direct connection to the internet. They only use the Server for DNS requests which the server then resolves using external DNS servers. This is a problem because you have two options:

1. Use content filtering on each PC, which is difficult to manage
2. Use a centralised filtering solution, which is expensive

I have to propose the following:

1. Use a dummy IP address on each PC. If your server is using DHCP to assign addresses to the internal PC's (you should), assign one more address on the network interface card ( for example) and let the rest of the 10.0.1.x range to be available to the internal PC's to request IP addresses. This way you PC's won't have a direct connection to the internet and they will have to use a proxy server.

2. Install and use a proxy server with content filtering. You have two more solutions here - the cheap/free one and the professional/expensive one. If you are on a tight budget then you have to use an old PC to install a free version of LINUX (, then install SQUID ( and finally use a free product like DansGuardian ( to filter out specific content. If you are not on a tight budget, then there a lot of expensive commercial content filtering products, but i don't think you intend to use one of them (they are subscription based and are aimed to big corporation that have a lot of money to spend)

Karasardelis Kostas
mrchaos101, surfcontrol can work in your situation by a number of methods. since you are using a switch and not a hub, you could mirror or map a the port that your internet comes in on. I believe you could install a second NIC in the server in which all traffic passes though in promiscuous mode.
I'm sorry that wasn't the right are the prices...
According to your request your best bet is to setup some kind of proxy between you and the internet.

Now there are two directions you can take to do this.

You can setup your win 2k3 server with Web filtering Software or Windows Proxy server / Use the free Linux solution as stated above

OR you can buy an appliance that has the web content built in.

We use Watchguard appliances for our web filtering.

These devices offer a tremendous amount of features that come in upgrades so you don't have to shell out the cash all at once.

You can purchase the web content filtering upgrade which I believe uses the same database as surf control.

The filtering option allows you to block by ip address, domain name, Categories and some other options

The only catch is that you have to purchase a renewal subscription every year to get the latest downloads from surf control for the categories section. this ranges from $70+ depending on what appliance you have

We use a firebox x1000 for our corporate headquarters (300 computers) and firebox x15 edge for our branch offices (15 computers) both have the web content filtering upgrade.  We can administer the web contents rules, VPN, firewall rules etc for all the x15 appliances from the X1000
There's also drag and drop VPN between appliances and remote users. Plus the administration comes in one WSYWIG interface that's easy to maintain.
Plus I'm guessing that the netgear router is a little out dated and this would be perfect to replace it with instead of messing with cumbersome server setups.
I would recommend iPrism from St. Bernard. I implemented it on our network and it wasn't too hard to configure and the 1u piece of hardware connects between your firewall and switch. The great thing about it is that you can use NTLM Authenication with your Active Directory to authenicate users. You can set up custom ACLs and assign groups, or users to this ACLs. With the ACLs you can determine what end users can access or block websites that you don't want them to get to. You can also run custom reports for a group or user to see what they are accessing. I called the sales rep and was able to obtain a demo. I'm  sure you'll be able to get one as well.
Get a second NIC for one computer and run Winproxy on it - - that is cheap for small networks and does really good filtering.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mrchaos101Author Commented:

Winproxy is about where I want to be cash wise.

It shows URL filtering.  So does this mean I have to KNOW what web sites I want to filter to get it t work?

Can it filter out key words  like Adult, XXX, Nudity etc?

Maybe you'll want to have a look at n2h2's Sentian.
The homepage about the product info is here:

You can find prices here:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.