Restrict Internet Access using Content Advisor and Group Policy?!?!

Posted on 2004-12-01
Last Modified: 2009-12-07

I have a windows server 2003 domain with windows 2000 clients.  We would like to implement internet access restrictions at the lowest possible cost:  our requirements are:

Do not allow users to browse to any sites except 6 websites which they need for work.

1. Can we use content advisor to disallow all sites ecxcept the 6 sites we want employees to go to?
2. Can we use group policy to push this policy out to one OU?
3.  If we can do none of the above, what would be the simplest and lowest cost solution we can implement to restrict access to all but 6 websites?

Thank You

Question by:ccarmichael7
    LVL 1

    Expert Comment

    I beieve your best bet would be restricting use via Group Policy, it can be done be user or user groups! Hope that helps a little!
    LVL 18

    Expert Comment

    I honestly would suggest using a proxy server if you want to be able to COMPLETELY restrict internet access.

    Group policy will work to do this for Internet Explorer so if you only want to limt IE browsing then you can use group policy and restrict the sites in IE without a problem...but understand that you're users can still use another browser such as firefox and surf the web freely.

    Author Comment

    Thanks for the tip, but I can't seem to figure out how to use content advisor or security zones to totally restrict the internmet except for 6 sites.  If I am missing something, please let me know, but it doesn't seem that this can be done with group policy.

    Author Comment

    Bumped value up to 500 points as this question seems very hard to answer

    Author Comment

    Sorry I didn't mention that there are 3 different offices that require this, all are connected via vpn, so a proxy server won't really work.  All I want to do is restrict IE to those sites using group policy, I can not allow the users to install programs which would stop them from installing firefox etc...

    Maybe I am missing something, but the only place in IE i seem to be able to do this is content advisor, but there is no rule I can see to set it to disallow everything except what I put in the allowed list.  

    If this is possible, please show me how!
    LVL 18

    Expert Comment

    Well playing devils can run firefox off of a jump drive (no need to install it so you don't have to be an admin) and still surf the net unless you prohbit the use of jump drives :)  I know most users won't think of that....but it can be done :)


    In group policy under:

    User Config- Windows Settings- Internet Explorer Maintenance

    This is where you will need to make your changes.
    LVL 18

    Expert Comment

    LVL 26

    Expert Comment

    by:Leon Fester
    Check out this site for MS.
    It explains how you can configure the automatic Proxy settings, Using this in conjunction with the Group Policy as mentioned above, and you should be able to configure some pretty decent scripts to allow access to the Internet. It requires a little programming logic to figure out, 'cos they are scripts and you will have to change the IF-statements to reverse the proxy options to restrict access instead use the proxy option.

    Author Comment

    Thank for all the advice guys,

    The problem here is that the network is composed of four offices with 3-9 computers each.  They are all linked up with inexpensice VPN routers (Netgear).  Using a proxy server doesn't really work, since I don't want all the internet traffic to run through the main office.

    I have searched high and low in internet explorer maintenance for a way to limit access to only 6 sites, but there doesn't seem to be a way to do it using content advisor or security settings.  Does anyone know what specific settings it takes to accomplish this?

    It seems to me the problem here is that it internet explorer is not capable of limiting itself to only 6 sites.  Regardless of group policy.  

    If anyone can show me how to make internet explorer do this, I'll award the points to them.  Otherwise I will just split them up amongst everyone who answered.

    Thanks for the help!
    LVL 38

    Accepted Solution

    I posted to your question:

    To use content advisor, while I'm not sure about using AD to push it out, it is easy to configure.
    On the "Allowed sites" tab in the content advisor, you can allow(aka Always) or deny (aka Never) by single ip, ip ranges or dns. always/never
    or - always/never
    or always/never

    The content advisor is "chatty" as I think you've noticed when you say "is not capable of limiting itself to only 6 sites" That is a task better suited to the internet  zones.
    I linked to them in the other thread.

    To summarize what I placed in the other thread:
    IMHO I'd:
    Get a policy written up to make it nice an offical, this way you can also get HR to help drive home that the company is serious about the restrictions. SANS has the best policy page with free and configurable examples.
    If your users are admin's of their own machines, even proxies won't help because the users can install another browser, or using a jumdrive or even a cdrom as mentioned above. The only way to force them into using the proxy would be to block port 21, 80, and 443 outbound. Then even if they did use a cd-rom, jumpdrive, or even installed another browser, they couldn't get out very easily- it can be done still, but it's more than most users know how to do.

    After the policies have been read and signed- in HR's presense with hr signing off too that the user read the policy- get an Ntop instance installed at each site. Ntop is free, and it's ported to windows for free by OpenXtra. You'll need to setup a spanned port or a hub inorder to see all the traffic properly.
    ntop will monitor all traffic, and break down each pc's usage between the different protocols, http, ssh, icmp, kazaa, smtp etc... Armed with ntop and your policies, you can definatly show the users that your serious, rather your company is serious, and that you are watching every packet.

    It comes off sort of "nazi" in type, but your users can be made to understand that your protecting the entire company. It may seem unfair that there are users that are not going to watched as closely, however you can assure them that they are being watched also.

    # It is estimated that 3 to 5 million web sites are newly established or renamed each week, making the collection and storage of accurate data virtually impossible. Providers of Site Blocking technology, however, claim a greater than 90% accuracy in database tracking of Internet sites, a claim that is highly improbably based on the shear volume of new and renamed sites.
    # Site Blocking can block vast amounts of good data along with the bad.
    # Site blocking technology focuses only on HTTP based web traffic, leaving other applications such as instant messaging, e-mail, e-mail attachments, and other desktop applications a continuing security risks.
    # Site Blocking conveys to your users that if they find inappropriate sites that are not blocked then its OK to use them.

    LVL 38

    Expert Comment

    by:Rich Rumble
    DOH! I don't know why I didn't think of this earlier...
    IPSEC firewall. While I think the policies and Ntop are also essential in any LAN, ipsec can make all of this very easy.

    I can make an example IPSEC file and post it here, however you'd have to ultimately configure it for your environment.
    Basically you can set it up to block port 80, 443 or anything else to all destinations, except the few that you want to allow.
    Runs on the workstations themselves (win2k,xp or 2003) so even if they do install their own browser, they won't get anywhere.

    Author Comment

    Thanks for all your answers, Richcrumble is corrrect.  You can do it with content advisor, and it can be pushed down through AD.  I feel a little stupid, since I assumed that I had to set every other site to not allowed for the rules to work correctly..  Since richcrumble also included info about the HR polices, and how to do it using the ipsec filters, I am awarding the full points to him.  

    Thank you!

    Expert Comment

    I have used the content advisor to do this many times.  The key that is missing above is that you need to load the noaccess.rat file.
    Start below--------------------------------------------
    ((PICS-version 1.0)
     (rating-system "")
     (rating-service "")
     (name "Noaccess")
     (description "This file will block all sites.")
      (transmit-as "m")
      (name "Yes")
       (name "Level 0:   No Setting")
       (description "No Setting")
       (value 0) )
       (name "Level 1:   No Setting")
       (description "No Setting")
       (value 1) ) ))
    end above-------------------------------------------------------

    copy and paste the above script to notepad and save it as noaccess.rat.
    Save that .rat file in the c:\windows\system32 directory on each client and on the server.  On the server configure the policy and load the noaccess.rat file.  This script locks ALL websites out. Once configured via group policy you allow the websites on the server by typing the password and selecting always allow. It is then pushed to the clients via your group policy,

    This is the quick and dirty explination but it should be enough to get you started.  The noaccess.rat file is really the key.  You assign a password in your group policy and when you need a site unlocked you open it on the server, unlock and allow the website and the clients acquire the setting via the group policy,  It is truly a poor man's lockdown.  Of course it can be circumvented with Firefox or Safari but most users do not know this,  You could then take it a step further and use software restriction policies so that users cannot install any other web browser.

    I hope this clarifies the issue.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now