• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10475
  • Last Modified:

How limit Internet Explorer users to whitelist of websites?

Our default browser is Firefox, but IE is needed to access a few sites that aren't compatible with Firefox.  I'd like to restrict users to using IE for only those few permitted sites.

I tried uploading a PICSRule in Content Advisor.  The whitelist worked, but Content Advisor seems to enable other security settings which stopped one of the whitelisted websites from working.  So Content Advisor is out (unless someone knows the answer to that problem:  Logins to the site immediately expire.  The site doesn't use cookies for a login, and I tried listing the site under "Approved Sites" in content advisor.)

Note that the whitelist must apply to IE  only, not the whole computer: Firefox should work.

Our environment is Windows 2003 R2 server; user logins are under Citrix (and thus Terminal Services).


Thanks in advance!
0
IntInc
Asked:
IntInc
  • 4
  • 3
  • 2
1 Solution
 
Rant32Commented:
Mmh, just thinking out loud here... Group Policies should be able to help you out. I assume here that the security settings for Firefox are not affected by IE group policy settings.

For IE, set the default Internet zone to to the highest level of security. This effectively removes any browsing capabilities beyond plain HTML text.
Set the security level for the Trusted Sites zone to the Normal/Low level (or Custom, I'm sure you can play around with the specific needs for ActiveX and Java).

Then, add the sites you want IE to access to the list of Trusted sites.

This doesn't restrict IE from opening pages, but with Maximum security users will quickly give up all hope of typical browsing with IE.

Other question: do you have a proxy server like Squid or ISA server in place?
0
 
IntIncAuthor Commented:
Thanks.  We've already implemented something similar to what you suggested with the security zones and we also removed their address bar.

But that setup leaves plenty of browsing ability and is not really a whitelist, which is what I'm after.
0
 
Rant32Commented:
I'm not sure if you missed my question, but do you have a web proxy server in place? That gives you a lot more options.

Then you can configure IE with a different proxy server or PAC file than Firefox, and actuall allow/disallow sites from there.

There is no other whitelisting/blacklisting feature in IE that I'm aware of.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
IntIncAuthor Commented:
Sorry, I forgot about the proxy question.  We considered that, but would have to setup a proxy for just this purpose and the cost isn't justified.
0
 
Rant32Commented:
Well, Squid proxy server is actually open source and just requires a hardware box to run. Runs on Windows as well.

If the underlying reason that you're using Firefox instead of Internet Explorer is security, then setting the Internet zone to Maximum security should work well for you (no scripting, no ActiveX, no Java, nothing).
0
 
dmccurdy51Commented:
What you can do is configure the proxy settings in the 2003 GPO to a none existant server.  Then in the Exceptions box list the websites you want accessed.  This will send all unwanted web traffic into thin-air.


Specifically:
User Configuration/Windows Settings/Internet Explorer Maintenance/Connection/Proxy Settings/Enable Proxy Settings
   Configure all protocals to 127.0.0.1 port 80

User Configuration/Windows Settings/Internet Explorer Maintenance/Connection/Proxy Settings/Exceptions
   List websites *.companydomain.com, www.sauceyscatering.com, etc.
0
 
Rant32Commented:
Very good one dmccurdy51, didn't think of that.

To expand on it, if you have an Intranet webserver running, you can use a proxy autoconfiguration file:

---[cut here: proxy.pac]---

function FindProxyForURL(url, host)
{
if (isPlainHostName(host) || dnsDomainIs(host, ".mycompany.com")
                    || dnsDomainIs(host, ".mysupplier.com")
                    || dnsDomainIs(host, ".mybank.com")
 return "DIRECT";
else
 return "PROXY 127.0.0.1:80";
}

---[cut here]---

This will redirect all websites except the listed domains to a non-existent proxy.

To use it, point IE autoconfiguration to the file (i.e. http://intranet/proxy.pac) through GPO. This allows you to make immediate changes to list of allowed web sites, instead of waiting for GPOs to be applied.
0
 
IntIncAuthor Commented:
dmccuredy51:  That's a great idea.  I will test it out today or tomorrow and post back.

Rant32: Very useful, but I don't think we'll test it because we can wait for the GPO to propagate.


Thanks again.
0
 
dmccurdy51Commented:
On 2003 you can run "gpupdate /force"    to force the GPO to propagate.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now