Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Restrict Internet Access using Content Advisor and Group Policy?!?!

Posted on 2004-12-01
Medium Priority
Last Modified: 2009-12-07

I have a windows server 2003 domain with windows 2000 clients.  We would like to implement internet access restrictions at the lowest possible cost:  our requirements are:

Do not allow users to browse to any sites except 6 websites which they need for work.

1. Can we use content advisor to disallow all sites ecxcept the 6 sites we want employees to go to?
2. Can we use group policy to push this policy out to one OU?
3.  If we can do none of the above, what would be the simplest and lowest cost solution we can implement to restrict access to all but 6 websites?

Thank You

Question by:ccarmichael7
  • 5
  • 3
  • 2
  • +3

Expert Comment

ID: 12719990
I beieve your best bet would be restricting use via Group Policy, it can be done be user or user groups! Hope that helps a little!
LVL 18

Expert Comment

ID: 12720355
I honestly would suggest using a proxy server if you want to be able to COMPLETELY restrict internet access.

Group policy will work to do this for Internet Explorer so if you only want to limt IE browsing then you can use group policy and restrict the sites in IE without a problem...but understand that you're users can still use another browser such as firefox and surf the web freely.

Author Comment

ID: 12720358
Thanks for the tip, but I can't seem to figure out how to use content advisor or security zones to totally restrict the internmet except for 6 sites.  If I am missing something, please let me know, but it doesn't seem that this can be done with group policy.
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!


Author Comment

ID: 12720381
Bumped value up to 500 points as this question seems very hard to answer

Author Comment

ID: 12720438
Sorry I didn't mention that there are 3 different offices that require this, all are connected via vpn, so a proxy server won't really work.  All I want to do is restrict IE to those sites using group policy, I can not allow the users to install programs which would stop them from installing firefox etc...

Maybe I am missing something, but the only place in IE i seem to be able to do this is content advisor, but there is no rule I can see to set it to disallow everything except what I put in the allowed list.  

If this is possible, please show me how!
LVL 18

Expert Comment

ID: 12721143
Well playing devils advocat....you can run firefox off of a jump drive (no need to install it so you don't have to be an admin) and still surf the net unless you prohbit the use of jump drives :)  I know most users won't think of that....but it can be done :)


In group policy under:

User Config- Windows Settings- Internet Explorer Maintenance

This is where you will need to make your changes.
LVL 26

Expert Comment

by:Leon Fester
ID: 12723796
Check out this site for MS.
It explains how you can configure the automatic Proxy settings, Using this in conjunction with the Group Policy as mentioned above, and you should be able to configure some pretty decent scripts to allow access to the Internet. It requires a little programming logic to figure out, 'cos they are scripts and you will have to change the IF-statements to reverse the proxy options to restrict access instead use the proxy option.

Author Comment

ID: 12732620
Thank for all the advice guys,

The problem here is that the network is composed of four offices with 3-9 computers each.  They are all linked up with inexpensice VPN routers (Netgear).  Using a proxy server doesn't really work, since I don't want all the internet traffic to run through the main office.

I have searched high and low in internet explorer maintenance for a way to limit access to only 6 sites, but there doesn't seem to be a way to do it using content advisor or security settings.  Does anyone know what specific settings it takes to accomplish this?

It seems to me the problem here is that it internet explorer is not capable of limiting itself to only 6 sites.  Regardless of group policy.  

If anyone can show me how to make internet explorer do this, I'll award the points to them.  Otherwise I will just split them up amongst everyone who answered.

Thanks for the help!
LVL 38

Accepted Solution

Rich Rumble earned 1600 total points
ID: 12745295
I posted to your question:http://experts-exchange.com/Security/Q_21226765.html

To use content advisor, while I'm not sure about using AD to push it out, it is easy to configure.
On the "Allowed sites" tab in the content advisor, you can allow(aka Always) or deny (aka Never) by single ip, ip ranges or dns. always/never
or - always/never
thissite.com always/never

The content advisor is "chatty" as I think you've noticed when you say "is not capable of limiting itself to only 6 sites" That is a task better suited to the internet  zones.
I linked to them in the other thread.

To summarize what I placed in the other thread:
Get a policy written up to make it nice an offical, this way you can also get HR to help drive home that the company is serious about the restrictions. SANS has the best policy page with free and configurable examples. http://www.sans.org/resources/policies/ 
If your users are admin's of their own machines, even proxies won't help because the users can install another browser, or using a jumdrive or even a cdrom as mentioned above. The only way to force them into using the proxy would be to block port 21, 80, and 443 outbound. Then even if they did use a cd-rom, jumpdrive, or even installed another browser, they couldn't get out very easily- it can be done still, but it's more than most users know how to do.

After the policies have been read and signed- in HR's presense with hr signing off too that the user read the policy- get an Ntop instance installed at each site. Ntop is free, and it's ported to windows for free by OpenXtra. You'll need to setup a spanned port or a hub inorder to see all the traffic properly. http://www.openxtra.co.uk/products/ntop-xtra.htm
ntop will monitor all traffic, and break down each pc's usage between the different protocols, http, ssh, icmp, kazaa, smtp etc... Armed with ntop and your policies, you can definatly show the users that your serious, rather your company is serious, and that you are watching every packet.

It comes off sort of "nazi" in type, but your users can be made to understand that your protecting the entire company. It may seem unfair that there are users that are not going to watched as closely, however you can assure them that they are being watched also.

# It is estimated that 3 to 5 million web sites are newly established or renamed each week, making the collection and storage of accurate data virtually impossible. Providers of Site Blocking technology, however, claim a greater than 90% accuracy in database tracking of Internet sites, a claim that is highly improbably based on the shear volume of new and renamed sites.
# Site Blocking can block vast amounts of good data along with the bad.
# Site blocking technology focuses only on HTTP based web traffic, leaving other applications such as instant messaging, e-mail, e-mail attachments, and other desktop applications a continuing security risks.
# Site Blocking conveys to your users that if they find inappropriate sites that are not blocked then its OK to use them.

LVL 38

Expert Comment

by:Rich Rumble
ID: 12745347
DOH! I don't know why I didn't think of this earlier...
IPSEC firewall. While I think the policies and Ntop are also essential in any LAN, ipsec can make all of this very easy.


I can make an example IPSEC file and post it here, however you'd have to ultimately configure it for your environment.
Basically you can set it up to block port 80, 443 or anything else to all destinations, except the few that you want to allow.
Runs on the workstations themselves (win2k,xp or 2003) so even if they do install their own browser, they won't get anywhere.

Author Comment

ID: 12758553
Thanks for all your answers, Richcrumble is corrrect.  You can do it with content advisor, and it can be pushed down through AD.  I feel a little stupid, since I assumed that I had to set every other site to not allowed for the rules to work correctly..  Since richcrumble also included info about the HR polices, and how to do it using the ipsec filters, I am awarding the full points to him.  

Thank you!

Expert Comment

ID: 23652099
I have used the content advisor to do this many times.  The key that is missing above is that you need to load the noaccess.rat file.
Start below--------------------------------------------
((PICS-version 1.0)
 (rating-system "http://www.microsoft.com")
 (rating-service "http://www.microsoft.com")
 (name "Noaccess")
 (description "This file will block all sites.")
  (transmit-as "m")
  (name "Yes")
   (name "Level 0:   No Setting")
   (description "No Setting")
   (value 0) )
   (name "Level 1:   No Setting")
   (description "No Setting")
   (value 1) ) ))
end above-------------------------------------------------------

copy and paste the above script to notepad and save it as noaccess.rat.
Save that .rat file in the c:\windows\system32 directory on each client and on the server.  On the server configure the policy and load the noaccess.rat file.  This script locks ALL websites out. Once configured via group policy you allow the websites on the server by typing the password and selecting always allow. It is then pushed to the clients via your group policy,

This is the quick and dirty explination but it should be enough to get you started.  The noaccess.rat file is really the key.  You assign a password in your group policy and when you need a site unlocked you open it on the server, unlock and allow the website and the clients acquire the setting via the group policy,  It is truly a poor man's lockdown.  Of course it can be circumvented with Firefox or Safari but most users do not know this,  You could then take it a step further and use software restriction policies so that users cannot install any other web browser.

I hope this clarifies the issue.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Spectre and Meltdown, how it affects me and my clients?
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question