Link to home
Start Free TrialLog in
Avatar of spectraflame
spectraflame

asked on

Restrict Internet access by username or on per PC basis

I would like to know if it is possible to block Internet access either by a specific username or by machine name.  Currently all PC's are connected to a corporate LAN and connect to the Internet through a PIX 501.  I think that the PIX can block by specific IP address, but we are using DHCP instead of static IP's.

Just wondering if there is anything that is built into Windows XP Pro SP2 that will block access so that the user cannot connect.

I thought about a 3rd party proxy server, but I feel that may be overkill for our organization.

Thanks,
Matthew
Avatar of Phil_Agcaoili
Phil_Agcaoili
Flag of United States of America image

The best way to do this if have a firewall is to have static IPs for the users. This way, you can filter Net access by assigned IPs. You can also assign them a specific switch port and force an IP that can be filtered.

There is also Contect Filtering software (parental control) like Net Nanny or CyberPatrol Surf Watch.

At the extreme you can control the user environment by installing kiosk software (http://sitekiosk.com) or give him a CE terminal and force him to RDP into a Terminal Server where you lock down his entire Windows environment. I've done this in manufacturing environments for day laborers.
Avatar of rchein
rchein

Without a device that understands Windows usernames (such as a proxy server) there isn't going to be any way to restrict the access.  The PIX device does not see the usernames.

As for restricting by machine name, I am just starting learning PIX so someone may correct me if I am wrong.  I don't think this will be possible either.  The reason is that even if PIX allows you to put a machine name in access control list instead of IP address, it is going to try to validate this name to external DNS, not your internal DNS server.

A third part proxy server really is the best bet for this.

Your other choice is static IP addresses really is static IP address.
ASKER CERTIFIED SOLUTION
Avatar of Phil_Agcaoili
Phil_Agcaoili
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
use ipsec to stop the internet access per PC. Configuring ipsec on each and every PC should help you out in blocking the internet access from the PCs