Restrict Internet access by username or on per PC basis

I would like to know if it is possible to block Internet access either by a specific username or by machine name.  Currently all PC's are connected to a corporate LAN and connect to the Internet through a PIX 501.  I think that the PIX can block by specific IP address, but we are using DHCP instead of static IP's.

Just wondering if there is anything that is built into Windows XP Pro SP2 that will block access so that the user cannot connect.

I thought about a 3rd party proxy server, but I feel that may be overkill for our organization.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The best way to do this if have a firewall is to have static IPs for the users. This way, you can filter Net access by assigned IPs. You can also assign them a specific switch port and force an IP that can be filtered.

There is also Contect Filtering software (parental control) like Net Nanny or CyberPatrol Surf Watch.

At the extreme you can control the user environment by installing kiosk software ( or give him a CE terminal and force him to RDP into a Terminal Server where you lock down his entire Windows environment. I've done this in manufacturing environments for day laborers.
Without a device that understands Windows usernames (such as a proxy server) there isn't going to be any way to restrict the access.  The PIX device does not see the usernames.

As for restricting by machine name, I am just starting learning PIX so someone may correct me if I am wrong.  I don't think this will be possible either.  The reason is that even if PIX allows you to put a machine name in access control list instead of IP address, it is going to try to validate this name to external DNS, not your internal DNS server.

A third part proxy server really is the best bet for this.

Your other choice is static IP addresses really is static IP address.

Checkout the accepted answer from trywaredk
Date: 03/22/2004 11:44PM PST:

This should give you a ton of ideas.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
use ipsec to stop the internet access per PC. Configuring ipsec on each and every PC should help you out in blocking the internet access from the PCs
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.