[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 168
  • Last Modified:

Blocking a Web Site in our Domain

I want to block a web site and nobody should be able to access it in our domain. How can I do that by using our server that has Windows 2003 installed. I don't want to use a 3rd party software.
0
ugurde
Asked:
ugurde
  • 10
  • 8
1 Solution
 
NJComputerNetworksCommented:
Create a group policy that manages IE settings... Use the REstricted Sites management to block unwanted sites:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngieps.mspx

0
 
NJComputerNetworksCommented:
oh, another easier way...is this...

On your DNS server, create a new Forward lookup zone for the domain that you want to block...

For example, say, you want to block all users from going to www.yahoo.com.  

1) Create a forward lookup zone called "yahoo.com"
2) Create an "A" record in the yahoo.com forward lookup zone...  www = 10.3.5.3  (<--fake invalid IP address)

Now when your clients try to go to www.yahoo.com, they will get an IE web error instead...

0
 
ugurdeAuthor Commented:
NJComputerNetworks, your solution looks like a nice solution, but when I read your answer I understood that I need to edit my question. I don't want any of the students access some web sites. So teachers should access to those sites. Sorry for that.

We have students OU in active directory. I tried before content rating; I did a group policy and add sites to Approved Sites list by clicking never. I used this policy for students OU, but it didn't work.

Does restricted sites management, restrict sites completely or just active x objects and cookies? I tried it on my computer for yahoo.com and it is still works with some restricted site icons.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
NJComputerNetworksCommented:
yeah...sorry the restricted sites doesn't work like I originally thought... you will just get prompts verifying that you want to go to this site...

lets me check into this some more ...
0
 
NJComputerNetworksCommented:
Do the students use the same computers as the teachers?  If not, you can use a GPO to drop a HOST file on the student machines...  The host file will do this:

127.0.0.1 www.yahoo.com 
127.0.0.1 www.anysiteyouwanttoblock.com

Seeing how host files are used before DNS, you students will not be able to hit these websites unless they know the exact IP address to place in the browser.

0
 
NJComputerNetworksCommented:


http://support.microsoft.com/kb/891716

Using a Group Policy-based computer startup script
1. create a script to copy hosts to c:\windows\system32\drivers\etc directory.  Call this weblock.bat
2. Set up the startup script. To do this, follow these steps:
a.  In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.  
b.  Click the Group Policy tab.  
c.  Click New to create a new Group Policy object (GPO), and type MRT Deployment for the name of the policy.
d.  Click the new policy, and then click Edit.  
e.  Expand Windows Settings for Computer Configuration, and then click Scripts.  
f.  Double-click Logon, and then click Add.

The Add a Script dialog box appears.  
g.  In the Script Name box, type \\ServerName\ShareName\webblock.bat.   <-- what ever script you create
h.  Click OK, and then click Apply.

copy the host file to the \\servername\sharename\ directory too

 
3. Restart the client computers that are members of this domain.
0
 
ugurdeAuthor Commented:
I am following the steps that you typed.
Can you tell me what should I type inside the webblock.bat file so that it will redirect the web sites to 127.0.0.1?
Thank you for your help.
0
 
NJComputerNetworksCommented:
inside webblock.bat:

127.0.0.1 www.yahoo.com
127.0.0.1 www.badsite.com
127.0.0.1 www.anotherbadsite.com


Thats it...

You can test this this works by manually creating a host file on you machine...
0
 
ugurdeAuthor Commented:
OK, I opened a notepad, I typed
127.0.0.1 www.yahoo.com
127.0.0.1 www.cnn.com

and saved as webblock.bat. I executed it on my machine, went to www.cnn.com and www.yahoo.com and they were not blocked. Did I do something wrong?
0
 
NJComputerNetworksCommented:
The BAT file must have the logic in it to copy an hosts file to the c:\windows\system32\drivers\etc folder

The host file must contain:

127.0.0.1 www.yahoo.com
127.0.0.1 www.cnn.com

Save the above as HOSTS

In the webblock.bat file have these lines:

copy hosts c:\windows\system32\drivers\etc /Y


sorry, I typed my last response wrong...I was referring to hosts file not webblock.bat.
0
 
ugurdeAuthor Commented:
OK, it works but
-We have Windows Antispyware installed on our computers and it asked me if I want to allow or block this script. It will most probably ask it to the students also and if they choose block it will not be executed. Is there any way to run it without this notice:

A script C:\Documents and Settings\ugurde\Desktop\webblock.bat is trying to run. This change generally occurs when software is installed. You can allow this change if it is recognized and expected.

A Batch file (.bat) is a file that can perform almost any type of task when executed on your computer.

0
 
NJComputerNetworksCommented:
I don't think it will ask if you implent this through a computer GPO:



http://support.microsoft.com/kb/891716

Using a Group Policy-based computer startup script
1. create a script to copy hosts to c:\windows\system32\drivers\etc directory.  Call this weblock.bat
2. Set up the startup script. To do this, follow these steps:
a.  In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.  
b.  Click the Group Policy tab.  
c.  Click New to create a new Group Policy object (GPO), and type MRT Deployment for the name of the policy.
d.  Click the new policy, and then click Edit.  
e.  Expand Windows Settings for Computer Configuration, and then click Scripts.  
f.  Double-click Logon, and then click Add.

The Add a Script dialog box appears.  
g.  In the Script Name box, type \\ServerName\ShareName\webblock.bat.   <-- what ever script you create
h.  Click OK, and then click Apply.

copy the host file to the \\servername\sharename\ directory too

 
3. Restart the client computers that are members of this domain.
0
 
ugurdeAuthor Commented:
I couldn't make it work today. I will check tomorrow what I did wrong.
0
 
ugurdeAuthor Commented:
It works when I login to computer and copies the hosts file from the server, but it doesn't work when a student logs in. I got " Access denied" message when I execute the webblock.bat file from a student's profile. Do you think the reason is domain users don't have modify access to etc/hosts file?
0
 
NJComputerNetworksCommented:
Are you implementing this through a COMPUTER STARTUP SCRIPT?  or a USER based script...  I think you need COMPUTER STARTUP SCRIPT...because of the permissions you talk about...


Using a Group Policy-based COMPUTER startup script
1. create a script to copy hosts to c:\windows\system32\drivers\etc directory.  Call this weblock.bat
2. Set up the startup script. To do this, follow these steps:
a.  In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.  
b.  Click the Group Policy tab.  
c.  Click New to create a new Group Policy object (GPO), and type MRT Deployment for the name of the policy.
d.  Click the new policy, and then click Edit.  
e.  Expand Windows Settings for COMPUTER CONFIGURATION, and then click Scripts.  
f.  Double-click Logon, and then click Add.


0
 
ugurdeAuthor Commented:
I applied  GPO to students, because of the possibility that a student can use a library or a teacher's computer. I applied another policy for teachers to replace  modified hosts file with the original.
If there is no way to run the scripts from domain users account, I can apply it to computers.
0
 
NJComputerNetworksCommented:
you can run it as users, as long as your users have access to overwrite the c:\windows \system32\drivers\etc\hosts file.  I recommend useing computers for this.
0
 
ugurdeAuthor Commented:
It seems that it is working. I need to type web sites with and without www's so that it will block both.
Another thing, I applied it to Startup, since there is no Logon at computer configuration.
Thank you for your help.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now