• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 369
  • Last Modified:

How can I Disable a users external Internet Surfing without affecting internal Intranet Access?

I've got a supervisor who needs to curtail one of their folks from surfing the web, but without affecting INTRAnet access. Anything I can easily do without getting too complicated? This is for a supervisor to enforce and since I'm not a domain admin (only local admin) I'm trying to avoid any kind of Policy edits since I'm not a domain admin on our network.

Thanks,
Brian
0
BrianEsser
Asked:
BrianEsser
  • 6
  • 4
  • 2
  • +2
1 Solution
 
johanvz1Commented:
Hi,

Do you want to block it for the one specific user on the whole network?. Or on the computer on which that user works?. Becuase if the users works on one system then it makes the task at hand much easier. Also what is the Operating System in use is it Windows XP SP2?.

Rgds,

Johan
0
 
NYtechGuyCommented:
Brian-

If you are a local admin, this is easy.

1. Go to network connection properites, tcp/ip properties of the network card in use.
2. remove any entries in DNS servers.  In other words, leave the DNS fields BLANK.
3. Do a search on a file called HOSTS  (I think it is C:\windows\system32\drivers\etc)
4. Open this HOSTS file in notepad  (note:  it does NOT have an extension, and must remain that way)
5. You will see one entry that says 127.0.0.1     localhost
6. On the line below, following that format input the IP address and hostname (example:  intranet.yourdomain.com)
7. Repeat, and add entries for any websites that you want the client to get to (could be internal/intranet or external)

If user is not local admin, he cannot change any of these settings back.

Thanks,

justin
0
 
BrianEsserAuthor Commented:
Johan, On the computer where the (temp) user works please. Windows XP SP2 and we use MS ISA Proxy. When the ISA Proxy is disabled, a user would have access only to the Intranet, which is what I'm after. I can manually disable the ISA Proxy, but a savvy user could just re-enable it from the system tray. We are also using MS AntiSpyware Beta 1 and I might be able to use the advanced tools to take isatray.exe out of the startup directory. Any suggestions are appreciated.

Thanks,

Brian
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
BrianEsserAuthor Commented:
All users have local admin - Don't ask me why?
0
 
BrianEsserAuthor Commented:
Justin, I'm familiar with what you are suggesting, but without DNS I'm not sure if I'd break something else in the process. I'd have to do a lot of testing I don't have time to do at this point. Hoping something more simple can be done. However, even with local admin rights, your suggestion is complex enough that the user wouldn't be able to undo that which he has no idea has been done. We'll have to see what other options are available, but in the long run this may suffice.

Thanks,
Brian
0
 
johanvz1Commented:
Hi,

You could use justins way except for that user local has admin righs and can just change it back. However depending on how knowledgable the user is you could always use the attrib command in the command prompt to hide the lmhosts further so that he wont be able to find it. Unfortunately with SP2 by default you can only really block incoming traffic unless you install a third party application like zonealarm but wouldnt suggest you do that.

Rgds,

Johan

0
 
NYtechGuyCommented:
BrianEsser-

If it is a member of the domain, I would also add an entry for any servers that the user must connect to:

- Including:

- Domain Controllers
- Exchange Servers
- File Servers

Please keep in mind you can ALWAYS login as local admin and put back to normal- so it shouldn't take that much testing as it is easily reversible.

Thanks,

justin
0
 
Crash2100Commented:
Do you have access to the router?  Because you could just block the internet ports for that computer with the router, and that would prevent it from effecting internal traffic.
0
 
BrianEsserAuthor Commented:
Justin, You are correct, there are several other servers that would have to be included and once I identified them I could certainly perform the steps you've outlined.

One question though - We use DHCP - Wouldn't that provide the DNS server info every time the Network or PC was restarted? The Hosts file is looked at first regardless, but if DNS is available due to DHCP then if browser doesn't find in Hosts file, it will then use DNS if available right?

Thanks,

Brian
0
 
NYtechGuyCommented:
You can either statically address the machine, or just set the IP address itself to automatically obtain and MANUALLY specify the DNS SERVERS.  In that case, you can just set the DNS server entries to 127.0.0.1 - which would of course give no response quickly.

Thanks,

justin
0
 
BrianEsserAuthor Commented:
Sounds like it would work just fine - Thanks for the help.

Take care,
Brian
0
 
juandelacruz2001Commented:
I'm wondering, how about removing (empty) the default gateway entry?

Good luck...
0
 
BrianEsserAuthor Commented:
Crash, no access to routers. Thx ~B
0
 
NYtechGuyCommented:
juan-

good idea
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now