Solved

How can I Disable a users external Internet Surfing without affecting internal Intranet Access?

Posted on 2006-07-12
14
364 Views
Last Modified: 2010-05-18
I've got a supervisor who needs to curtail one of their folks from surfing the web, but without affecting INTRAnet access. Anything I can easily do without getting too complicated? This is for a supervisor to enforce and since I'm not a domain admin (only local admin) I'm trying to avoid any kind of Policy edits since I'm not a domain admin on our network.

Thanks,
Brian
0
Comment
Question by:BrianEsser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 4

Expert Comment

by:johanvz1
ID: 17092012
Hi,

Do you want to block it for the one specific user on the whole network?. Or on the computer on which that user works?. Becuase if the users works on one system then it makes the task at hand much easier. Also what is the Operating System in use is it Windows XP SP2?.

Rgds,

Johan
0
 
LVL 9

Accepted Solution

by:
NYtechGuy earned 500 total points
ID: 17092097
Brian-

If you are a local admin, this is easy.

1. Go to network connection properites, tcp/ip properties of the network card in use.
2. remove any entries in DNS servers.  In other words, leave the DNS fields BLANK.
3. Do a search on a file called HOSTS  (I think it is C:\windows\system32\drivers\etc)
4. Open this HOSTS file in notepad  (note:  it does NOT have an extension, and must remain that way)
5. You will see one entry that says 127.0.0.1     localhost
6. On the line below, following that format input the IP address and hostname (example:  intranet.yourdomain.com)
7. Repeat, and add entries for any websites that you want the client to get to (could be internal/intranet or external)

If user is not local admin, he cannot change any of these settings back.

Thanks,

justin
0
 

Author Comment

by:BrianEsser
ID: 17092116
Johan, On the computer where the (temp) user works please. Windows XP SP2 and we use MS ISA Proxy. When the ISA Proxy is disabled, a user would have access only to the Intranet, which is what I'm after. I can manually disable the ISA Proxy, but a savvy user could just re-enable it from the system tray. We are also using MS AntiSpyware Beta 1 and I might be able to use the advanced tools to take isatray.exe out of the startup directory. Any suggestions are appreciated.

Thanks,

Brian
0
 Watch the Recording: Learning MySQL 5.7

MySQL 5.7 has a lot of new features. If you've dabbled with an older version of MySQL, it is definitely worth learning.

 

Author Comment

by:BrianEsser
ID: 17092128
All users have local admin - Don't ask me why?
0
 

Author Comment

by:BrianEsser
ID: 17092184
Justin, I'm familiar with what you are suggesting, but without DNS I'm not sure if I'd break something else in the process. I'd have to do a lot of testing I don't have time to do at this point. Hoping something more simple can be done. However, even with local admin rights, your suggestion is complex enough that the user wouldn't be able to undo that which he has no idea has been done. We'll have to see what other options are available, but in the long run this may suffice.

Thanks,
Brian
0
 
LVL 4

Expert Comment

by:johanvz1
ID: 17092187
Hi,

You could use justins way except for that user local has admin righs and can just change it back. However depending on how knowledgable the user is you could always use the attrib command in the command prompt to hide the lmhosts further so that he wont be able to find it. Unfortunately with SP2 by default you can only really block incoming traffic unless you install a third party application like zonealarm but wouldnt suggest you do that.

Rgds,

Johan

0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17092219
BrianEsser-

If it is a member of the domain, I would also add an entry for any servers that the user must connect to:

- Including:

- Domain Controllers
- Exchange Servers
- File Servers

Please keep in mind you can ALWAYS login as local admin and put back to normal- so it shouldn't take that much testing as it is easily reversible.

Thanks,

justin
0
 
LVL 18

Expert Comment

by:Crash2100
ID: 17092265
Do you have access to the router?  Because you could just block the internet ports for that computer with the router, and that would prevent it from effecting internal traffic.
0
 

Author Comment

by:BrianEsser
ID: 17092318
Justin, You are correct, there are several other servers that would have to be included and once I identified them I could certainly perform the steps you've outlined.

One question though - We use DHCP - Wouldn't that provide the DNS server info every time the Network or PC was restarted? The Hosts file is looked at first regardless, but if DNS is available due to DHCP then if browser doesn't find in Hosts file, it will then use DNS if available right?

Thanks,

Brian
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17092342
You can either statically address the machine, or just set the IP address itself to automatically obtain and MANUALLY specify the DNS SERVERS.  In that case, you can just set the DNS server entries to 127.0.0.1 - which would of course give no response quickly.

Thanks,

justin
0
 

Author Comment

by:BrianEsser
ID: 17092437
Sounds like it would work just fine - Thanks for the help.

Take care,
Brian
0
 
LVL 3

Expert Comment

by:juandelacruz2001
ID: 17092440
I'm wondering, how about removing (empty) the default gateway entry?

Good luck...
0
 

Author Comment

by:BrianEsser
ID: 17092449
Crash, no access to routers. Thx ~B
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17092754
juan-

good idea
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month8 days, 9 hours left to enroll

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question