Restrict Internet Access using Content Advisor and Group Policy?!?!


I have a windows server 2003 domain with windows 2000 clients.  We would like to implement internet access restrictions at the lowest possible cost:  our requirements are:

Do not allow users to browse to any sites except 6 websites which they need for work.

1. Can we use content advisor to disallow all sites ecxcept the 6 sites we want employees to go to?
2. Can we use group policy to push this policy out to one OU?
3.  If we can do none of the above, what would be the simplest and lowest cost solution we can implement to restrict access to all but 6 websites?

Thank You

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I beieve your best bet would be restricting use via Group Policy, it can be done be user or user groups! Hope that helps a little!
I honestly would suggest using a proxy server if you want to be able to COMPLETELY restrict internet access.

Group policy will work to do this for Internet Explorer so if you only want to limt IE browsing then you can use group policy and restrict the sites in IE without a problem...but understand that you're users can still use another browser such as firefox and surf the web freely.
ccarmichael7Author Commented:
Thanks for the tip, but I can't seem to figure out how to use content advisor or security zones to totally restrict the internmet except for 6 sites.  If I am missing something, please let me know, but it doesn't seem that this can be done with group policy.
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

ccarmichael7Author Commented:
Bumped value up to 500 points as this question seems very hard to answer
ccarmichael7Author Commented:
Sorry I didn't mention that there are 3 different offices that require this, all are connected via vpn, so a proxy server won't really work.  All I want to do is restrict IE to those sites using group policy, I can not allow the users to install programs which would stop them from installing firefox etc...

Maybe I am missing something, but the only place in IE i seem to be able to do this is content advisor, but there is no rule I can see to set it to disallow everything except what I put in the allowed list.  

If this is possible, please show me how!
Well playing devils can run firefox off of a jump drive (no need to install it so you don't have to be an admin) and still surf the net unless you prohbit the use of jump drives :)  I know most users won't think of that....but it can be done :)


In group policy under:

User Config- Windows Settings- Internet Explorer Maintenance

This is where you will need to make your changes.
Leon FesterSenior Solutions ArchitectCommented:
Check out this site for MS.
It explains how you can configure the automatic Proxy settings, Using this in conjunction with the Group Policy as mentioned above, and you should be able to configure some pretty decent scripts to allow access to the Internet. It requires a little programming logic to figure out, 'cos they are scripts and you will have to change the IF-statements to reverse the proxy options to restrict access instead use the proxy option.
ccarmichael7Author Commented:
Thank for all the advice guys,

The problem here is that the network is composed of four offices with 3-9 computers each.  They are all linked up with inexpensice VPN routers (Netgear).  Using a proxy server doesn't really work, since I don't want all the internet traffic to run through the main office.

I have searched high and low in internet explorer maintenance for a way to limit access to only 6 sites, but there doesn't seem to be a way to do it using content advisor or security settings.  Does anyone know what specific settings it takes to accomplish this?

It seems to me the problem here is that it internet explorer is not capable of limiting itself to only 6 sites.  Regardless of group policy.  

If anyone can show me how to make internet explorer do this, I'll award the points to them.  Otherwise I will just split them up amongst everyone who answered.

Thanks for the help!
Rich RumbleSecurity SamuraiCommented:
I posted to your question:

To use content advisor, while I'm not sure about using AD to push it out, it is easy to configure.
On the "Allowed sites" tab in the content advisor, you can allow(aka Always) or deny (aka Never) by single ip, ip ranges or dns. always/never
or - always/never
or always/never

The content advisor is "chatty" as I think you've noticed when you say "is not capable of limiting itself to only 6 sites" That is a task better suited to the internet  zones.
I linked to them in the other thread.

To summarize what I placed in the other thread:
Get a policy written up to make it nice an offical, this way you can also get HR to help drive home that the company is serious about the restrictions. SANS has the best policy page with free and configurable examples. 
If your users are admin's of their own machines, even proxies won't help because the users can install another browser, or using a jumdrive or even a cdrom as mentioned above. The only way to force them into using the proxy would be to block port 21, 80, and 443 outbound. Then even if they did use a cd-rom, jumpdrive, or even installed another browser, they couldn't get out very easily- it can be done still, but it's more than most users know how to do.

After the policies have been read and signed- in HR's presense with hr signing off too that the user read the policy- get an Ntop instance installed at each site. Ntop is free, and it's ported to windows for free by OpenXtra. You'll need to setup a spanned port or a hub inorder to see all the traffic properly.
ntop will monitor all traffic, and break down each pc's usage between the different protocols, http, ssh, icmp, kazaa, smtp etc... Armed with ntop and your policies, you can definatly show the users that your serious, rather your company is serious, and that you are watching every packet.

It comes off sort of "nazi" in type, but your users can be made to understand that your protecting the entire company. It may seem unfair that there are users that are not going to watched as closely, however you can assure them that they are being watched also.

# It is estimated that 3 to 5 million web sites are newly established or renamed each week, making the collection and storage of accurate data virtually impossible. Providers of Site Blocking technology, however, claim a greater than 90% accuracy in database tracking of Internet sites, a claim that is highly improbably based on the shear volume of new and renamed sites.
# Site Blocking can block vast amounts of good data along with the bad.
# Site blocking technology focuses only on HTTP based web traffic, leaving other applications such as instant messaging, e-mail, e-mail attachments, and other desktop applications a continuing security risks.
# Site Blocking conveys to your users that if they find inappropriate sites that are not blocked then its OK to use them.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rich RumbleSecurity SamuraiCommented:
DOH! I don't know why I didn't think of this earlier...
IPSEC firewall. While I think the policies and Ntop are also essential in any LAN, ipsec can make all of this very easy.

I can make an example IPSEC file and post it here, however you'd have to ultimately configure it for your environment.
Basically you can set it up to block port 80, 443 or anything else to all destinations, except the few that you want to allow.
Runs on the workstations themselves (win2k,xp or 2003) so even if they do install their own browser, they won't get anywhere.
ccarmichael7Author Commented:
Thanks for all your answers, Richcrumble is corrrect.  You can do it with content advisor, and it can be pushed down through AD.  I feel a little stupid, since I assumed that I had to set every other site to not allowed for the rules to work correctly..  Since richcrumble also included info about the HR polices, and how to do it using the ipsec filters, I am awarding the full points to him.  

Thank you!
I have used the content advisor to do this many times.  The key that is missing above is that you need to load the noaccess.rat file.
Start below--------------------------------------------
((PICS-version 1.0)
 (rating-system "")
 (rating-service "")
 (name "Noaccess")
 (description "This file will block all sites.")
  (transmit-as "m")
  (name "Yes")
   (name "Level 0:   No Setting")
   (description "No Setting")
   (value 0) )
   (name "Level 1:   No Setting")
   (description "No Setting")
   (value 1) ) ))
end above-------------------------------------------------------

copy and paste the above script to notepad and save it as noaccess.rat.
Save that .rat file in the c:\windows\system32 directory on each client and on the server.  On the server configure the policy and load the noaccess.rat file.  This script locks ALL websites out. Once configured via group policy you allow the websites on the server by typing the password and selecting always allow. It is then pushed to the clients via your group policy,

This is the quick and dirty explination but it should be enough to get you started.  The noaccess.rat file is really the key.  You assign a password in your group policy and when you need a site unlocked you open it on the server, unlock and allow the website and the clients acquire the setting via the group policy,  It is truly a poor man's lockdown.  Of course it can be circumvented with Firefox or Safari but most users do not know this,  You could then take it a step further and use software restriction policies so that users cannot install any other web browser.

I hope this clarifies the issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.