Restrict Internet Access using Content Advisor and Group Policy?!?!
Hello,
I have a windows server 2003 domain with windows 2000 clients. We would like to implement internet access restrictions at the lowest possible cost: our requirements are:
Do not allow users to browse to any sites except 6 websites which they need for work.
1. Can we use content advisor to disallow all sites ecxcept the 6 sites we want employees to go to?
2. Can we use group policy to push this policy out to one OU?
3. If we can do none of the above, what would be the simplest and lowest cost solution we can implement to restrict access to all but 6 websites?
Thank You
I have a windows server 2003 domain with windows 2000 clients. We would like to implement internet access restrictions at the lowest possible cost: our requirements are:
Do not allow users to browse to any sites except 6 websites which they need for work.
1. Can we use content advisor to disallow all sites ecxcept the 6 sites we want employees to go to?
2. Can we use group policy to push this policy out to one OU?
3. If we can do none of the above, what would be the simplest and lowest cost solution we can implement to restrict access to all but 6 websites?
Thank You
I beieve your best bet would be restricting use via Group Policy, it can be done be user or user groups! Hope that helps a little!
I honestly would suggest using a proxy server if you want to be able to COMPLETELY restrict internet access.
Group policy will work to do this for Internet Explorer so if you only want to limt IE browsing then you can use group policy and restrict the sites in IE without a problem...but understand that you're users can still use another browser such as firefox and surf the web freely.
Group policy will work to do this for Internet Explorer so if you only want to limt IE browsing then you can use group policy and restrict the sites in IE without a problem...but understand that you're users can still use another browser such as firefox and surf the web freely.
ASKER
Thanks for the tip, but I can't seem to figure out how to use content advisor or security zones to totally restrict the internmet except for 6 sites. If I am missing something, please let me know, but it doesn't seem that this can be done with group policy.
ASKER
Bumped value up to 500 points as this question seems very hard to answer
ASKER
Sorry I didn't mention that there are 3 different offices that require this, all are connected via vpn, so a proxy server won't really work. All I want to do is restrict IE to those sites using group policy, I can not allow the users to install programs which would stop them from installing firefox etc...
Maybe I am missing something, but the only place in IE i seem to be able to do this is content advisor, but there is no rule I can see to set it to disallow everything except what I put in the allowed list.
If this is possible, please show me how!
Maybe I am missing something, but the only place in IE i seem to be able to do this is content advisor, but there is no rule I can see to set it to disallow everything except what I put in the allowed list.
If this is possible, please show me how!
Well playing devils advocat....you can run firefox off of a jump drive (no need to install it so you don't have to be an admin) and still surf the net unless you prohbit the use of jump drives :) I know most users won't think of that....but it can be done :)
Anyway....
In group policy under:
User Config- Windows Settings- Internet Explorer Maintenance
This is where you will need to make your changes.
Anyway....
In group policy under:
User Config- Windows Settings- Internet Explorer Maintenance
This is where you will need to make your changes.
Check out this site for MS.
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/ierk/Ch21_b.asp
It explains how you can configure the automatic Proxy settings, Using this in conjunction with the Group Policy as mentioned above, and you should be able to configure some pretty decent scripts to allow access to the Internet. It requires a little programming logic to figure out, 'cos they are scripts and you will have to change the IF-statements to reverse the proxy options to restrict access instead use the proxy option.
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/ierk/Ch21_b.asp
It explains how you can configure the automatic Proxy settings, Using this in conjunction with the Group Policy as mentioned above, and you should be able to configure some pretty decent scripts to allow access to the Internet. It requires a little programming logic to figure out, 'cos they are scripts and you will have to change the IF-statements to reverse the proxy options to restrict access instead use the proxy option.
ASKER
Thank for all the advice guys,
The problem here is that the network is composed of four offices with 3-9 computers each. They are all linked up with inexpensice VPN routers (Netgear). Using a proxy server doesn't really work, since I don't want all the internet traffic to run through the main office.
I have searched high and low in internet explorer maintenance for a way to limit access to only 6 sites, but there doesn't seem to be a way to do it using content advisor or security settings. Does anyone know what specific settings it takes to accomplish this?
It seems to me the problem here is that it internet explorer is not capable of limiting itself to only 6 sites. Regardless of group policy.
If anyone can show me how to make internet explorer do this, I'll award the points to them. Otherwise I will just split them up amongst everyone who answered.
Thanks for the help!
The problem here is that the network is composed of four offices with 3-9 computers each. They are all linked up with inexpensice VPN routers (Netgear). Using a proxy server doesn't really work, since I don't want all the internet traffic to run through the main office.
I have searched high and low in internet explorer maintenance for a way to limit access to only 6 sites, but there doesn't seem to be a way to do it using content advisor or security settings. Does anyone know what specific settings it takes to accomplish this?
It seems to me the problem here is that it internet explorer is not capable of limiting itself to only 6 sites. Regardless of group policy.
If anyone can show me how to make internet explorer do this, I'll award the points to them. Otherwise I will just split them up amongst everyone who answered.
Thanks for the help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
DOH! I don't know why I didn't think of this earlier...
IPSEC firewall. While I think the policies and Ntop are also essential in any LAN, ipsec can make all of this very easy.
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
I can make an example IPSEC file and post it here, however you'd have to ultimately configure it for your environment.
Basically you can set it up to block port 80, 443 or anything else to all destinations, except the few that you want to allow.
Runs on the workstations themselves (win2k,xp or 2003) so even if they do install their own browser, they won't get anywhere.
-rich
IPSEC firewall. While I think the policies and Ntop are also essential in any LAN, ipsec can make all of this very easy.
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
I can make an example IPSEC file and post it here, however you'd have to ultimately configure it for your environment.
Basically you can set it up to block port 80, 443 or anything else to all destinations, except the few that you want to allow.
Runs on the workstations themselves (win2k,xp or 2003) so even if they do install their own browser, they won't get anywhere.
-rich
ASKER
Thanks for all your answers, Richcrumble is corrrect. You can do it with content advisor, and it can be pushed down through AD. I feel a little stupid, since I assumed that I had to set every other site to not allowed for the rules to work correctly.. Since richcrumble also included info about the HR polices, and how to do it using the ipsec filters, I am awarding the full points to him.
Thank you!
Thank you!
I have used the content advisor to do this many times. The key that is missing above is that you need to load the noaccess.rat file.
Start below---------------------
((PICS-version 1.0)
(rating-system "http://www.microsoft.com")
(rating-service "http://www.microsoft.com")
(name "Noaccess")
(description "This file will block all sites.")
(category
(transmit-as "m")
(name "Yes")
(label
(name "Level 0: No Setting")
(description "No Setting")
(value 0) )
(label
(name "Level 1: No Setting")
(description "No Setting")
(value 1) ) ))
end above---------------------
copy and paste the above script to notepad and save it as noaccess.rat.
Save that .rat file in the c:\windows\system32 directory on each client and on the server. On the server configure the policy and load the noaccess.rat file. This script locks ALL websites out. Once configured via group policy you allow the websites on the server by typing the password and selecting always allow. It is then pushed to the clients via your group policy,
This is the quick and dirty explination but it should be enough to get you started. The noaccess.rat file is really the key. You assign a password in your group policy and when you need a site unlocked you open it on the server, unlock and allow the website and the clients acquire the setting via the group policy, It is truly a poor man's lockdown. Of course it can be circumvented with Firefox or Safari but most users do not know this, You could then take it a step further and use software restriction policies so that users cannot install any other web browser.
I hope this clarifies the issue.
Start below---------------------
((PICS-version 1.0)
(rating-system "http://www.microsoft.com")
(rating-service "http://www.microsoft.com")
(name "Noaccess")
(description "This file will block all sites.")
(category
(transmit-as "m")
(name "Yes")
(label
(name "Level 0: No Setting")
(description "No Setting")
(value 0) )
(label
(name "Level 1: No Setting")
(description "No Setting")
(value 1) ) ))
end above---------------------
copy and paste the above script to notepad and save it as noaccess.rat.
Save that .rat file in the c:\windows\system32 directory on each client and on the server. On the server configure the policy and load the noaccess.rat file. This script locks ALL websites out. Once configured via group policy you allow the websites on the server by typing the password and selecting always allow. It is then pushed to the clients via your group policy,
This is the quick and dirty explination but it should be enough to get you started. The noaccess.rat file is really the key. You assign a password in your group policy and when you need a site unlocked you open it on the server, unlock and allow the website and the clients acquire the setting via the group policy, It is truly a poor man's lockdown. Of course it can be circumvented with Firefox or Safari but most users do not know this, You could then take it a step further and use software restriction policies so that users cannot install any other web browser.
I hope this clarifies the issue.