Solved

How can I Disable a users external Internet Surfing without affecting internal Intranet Access?

Posted on 2006-07-12
14
357 Views
Last Modified: 2010-05-18
I've got a supervisor who needs to curtail one of their folks from surfing the web, but without affecting INTRAnet access. Anything I can easily do without getting too complicated? This is for a supervisor to enforce and since I'm not a domain admin (only local admin) I'm trying to avoid any kind of Policy edits since I'm not a domain admin on our network.

Thanks,
Brian
0
Comment
Question by:BrianEsser
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 4

Expert Comment

by:johanvz1
ID: 17092012
Hi,

Do you want to block it for the one specific user on the whole network?. Or on the computer on which that user works?. Becuase if the users works on one system then it makes the task at hand much easier. Also what is the Operating System in use is it Windows XP SP2?.

Rgds,

Johan
0
 
LVL 9

Accepted Solution

by:
NYtechGuy earned 500 total points
ID: 17092097
Brian-

If you are a local admin, this is easy.

1. Go to network connection properites, tcp/ip properties of the network card in use.
2. remove any entries in DNS servers.  In other words, leave the DNS fields BLANK.
3. Do a search on a file called HOSTS  (I think it is C:\windows\system32\drivers\etc)
4. Open this HOSTS file in notepad  (note:  it does NOT have an extension, and must remain that way)
5. You will see one entry that says 127.0.0.1     localhost
6. On the line below, following that format input the IP address and hostname (example:  intranet.yourdomain.com)
7. Repeat, and add entries for any websites that you want the client to get to (could be internal/intranet or external)

If user is not local admin, he cannot change any of these settings back.

Thanks,

justin
0
 

Author Comment

by:BrianEsser
ID: 17092116
Johan, On the computer where the (temp) user works please. Windows XP SP2 and we use MS ISA Proxy. When the ISA Proxy is disabled, a user would have access only to the Intranet, which is what I'm after. I can manually disable the ISA Proxy, but a savvy user could just re-enable it from the system tray. We are also using MS AntiSpyware Beta 1 and I might be able to use the advanced tools to take isatray.exe out of the startup directory. Any suggestions are appreciated.

Thanks,

Brian
0
 

Author Comment

by:BrianEsser
ID: 17092128
All users have local admin - Don't ask me why?
0
 

Author Comment

by:BrianEsser
ID: 17092184
Justin, I'm familiar with what you are suggesting, but without DNS I'm not sure if I'd break something else in the process. I'd have to do a lot of testing I don't have time to do at this point. Hoping something more simple can be done. However, even with local admin rights, your suggestion is complex enough that the user wouldn't be able to undo that which he has no idea has been done. We'll have to see what other options are available, but in the long run this may suffice.

Thanks,
Brian
0
 
LVL 4

Expert Comment

by:johanvz1
ID: 17092187
Hi,

You could use justins way except for that user local has admin righs and can just change it back. However depending on how knowledgable the user is you could always use the attrib command in the command prompt to hide the lmhosts further so that he wont be able to find it. Unfortunately with SP2 by default you can only really block incoming traffic unless you install a third party application like zonealarm but wouldnt suggest you do that.

Rgds,

Johan

0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17092219
BrianEsser-

If it is a member of the domain, I would also add an entry for any servers that the user must connect to:

- Including:

- Domain Controllers
- Exchange Servers
- File Servers

Please keep in mind you can ALWAYS login as local admin and put back to normal- so it shouldn't take that much testing as it is easily reversible.

Thanks,

justin
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 18

Expert Comment

by:Crash2100
ID: 17092265
Do you have access to the router?  Because you could just block the internet ports for that computer with the router, and that would prevent it from effecting internal traffic.
0
 

Author Comment

by:BrianEsser
ID: 17092318
Justin, You are correct, there are several other servers that would have to be included and once I identified them I could certainly perform the steps you've outlined.

One question though - We use DHCP - Wouldn't that provide the DNS server info every time the Network or PC was restarted? The Hosts file is looked at first regardless, but if DNS is available due to DHCP then if browser doesn't find in Hosts file, it will then use DNS if available right?

Thanks,

Brian
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17092342
You can either statically address the machine, or just set the IP address itself to automatically obtain and MANUALLY specify the DNS SERVERS.  In that case, you can just set the DNS server entries to 127.0.0.1 - which would of course give no response quickly.

Thanks,

justin
0
 

Author Comment

by:BrianEsser
ID: 17092437
Sounds like it would work just fine - Thanks for the help.

Take care,
Brian
0
 
LVL 3

Expert Comment

by:juandelacruz2001
ID: 17092440
I'm wondering, how about removing (empty) the default gateway entry?

Good luck...
0
 

Author Comment

by:BrianEsser
ID: 17092449
Crash, no access to routers. Thx ~B
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17092754
juan-

good idea
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now