Link to home
Start Free TrialLog in
Avatar of ccarmichael7
ccarmichael7Flag for United States of America

asked on

Internet Filter Software (not a porn filter)

Hello,

I am looking for a VERY SIMPLE internet filtering software.  We need to install it on about 15 machines, so the less expensive/free the better.  

All we need to do is block all access to the internet with the exception of 6 sites which are work related.  Some users will need to be able to surf anywhere they want.  Having them enter a password to access unrestricted internet is fine.  

We can't use a proxy server, since there are three seperate offices, and group policy doesn't seem to do the trick either.  

So does anyone know of a freeware program or very inexpensive program which will block all sites with the exception of a handful of work rewlated sites?  We don't want to pay monthly fees for databases we won't even use.  I will reward 100 more points if a freeware solution is provided!

Thank You
Avatar of chris_calabrese
chris_calabrese

I don't think you'll be able to do this without some kind of proxy, but that doesn't mean it won't work for three offices - you just need three proxies.

Squid is the best known freeware web proxy. You can run it on some old PC's running Linux or *BSD.
One way you could do this is to:

Step 1
edit the hosts file.  Search The C: drive for hosts - on xp it is in C:\WINDOWS\system32\drivers\etc.
Add in the web sites you wish to use - IP address, and then domain name.

example -
216.109.117.207  www.yahoo.com

Step 2
Then remove the DNS information from each client. - now, the client will only be able to resolve the listed sites from the host file.

they will then only be able to access sites for which you have listed access to in the hosts file.

for people that are allowed surfing, you could give them dns information.

Out of curiosity, i just tested this on my machine, and IT WORKED!
kind of round about, but no software, and no paying for anything but some time setting up a host file, that you can copy to each client.
I don't know how this works for you thechandler and what type your internet connection is, but I can remove all the dns info I want and my machine looks it up automatically... So this depends on the internet connection I guess.
mcwojtekk -

In our network, we have many clients that all are part of a switched network.  Various switches are connected throughout the building - bringing everyone access to both the servers and firewall/gateway out to the internet.  

We run a DNS server such that every client has the following information input on their terminal -
IP
Subnet
Gateway
DNS

Enabling DHCP, using a proxy connection, having DNS resolves cached, or having a direct connection to the internet on the client machine are all ways in which my method will not work - I would guess that you are using one if the methods that I listed.
Well I use a proxy at work and a router for my SDSL connection at home. In both cases no go. Let's see what ccarmichael7 has to say about this.
Avatar of ccarmichael7

ASKER

Thanks for the responses guys!

The reason why we don't just use a proxy is that there are four offices connected via VPN over cable modems.  We don't want all the internet traffic to filter through the main site, and putting in proxies at each site seems like overkill.  To add to the confusion, there are some users who should be able to enter browse the internet freely.

So really it would seem to me that there should be some kind of software similar to cyberpatrol or netnanny that don't require us to pay monthly fees for a database we won't use.  

I have tried using group policy, but I can't figure out how to make internet explorer do this using content advisor or the security settings.  If anyone knows how to do this using internet explorer, that would be perfect!  Then I could just push it out using group policy.


I am going to bump up the point value to 400 on this question, since it is fairly complex!

Thank you for all your answers thus far
I might be able to do this with group policy using the firewall built-into WinXP. The API is referred to in MS docs as IPsec settings, though it's not actually the IPsec part you're interested in.

Otherwise, I'd deploy four proxies, each of which allows people to login and get full access or not login and get restricted access. You can buy four older PC's ebay for ~$1K and load them with free software like Linux or FreeBSD with Squid as the proxy.
I found this software in a search - called Browse Control.  According to the product description you can set both time limits, or limit the internet to allow only work related sites.  I downloaded the trial, but do not have time to set it up on the server, but the interface is relatively intuitive, and you can set multiple group access levels for different clients.

Price wise, it is $20 / user, or it drops to $15 per user for 20+ users, and keeps dropping with more users.

http://www.codework.com/bcontrol/product.html
ASKER CERTIFIED SOLUTION
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
DOH! I don't know why I didn't think of this earlier...
IPSEC firewall. While I think the policies and Ntop are also essential in any LAN, ipsec can make all of this very easy.

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

I can make an example IPSEC file and post it here, however you'd have to ultimately configure it for your environment.
Basically you can set it up to block port 80, 443 or anything else to all destinations, except the few that you want to allow.
Runs on the workstations themselves (win2k,xp or 2003) so even if they do install their own browser, they won't get anywhere.
-rich