?
Solved

How can I Disable a users external Internet Surfing without affecting internal Intranet Access?

Posted on 2006-07-12
14
Medium Priority
?
366 Views
Last Modified: 2010-05-18
I've got a supervisor who needs to curtail one of their folks from surfing the web, but without affecting INTRAnet access. Anything I can easily do without getting too complicated? This is for a supervisor to enforce and since I'm not a domain admin (only local admin) I'm trying to avoid any kind of Policy edits since I'm not a domain admin on our network.

Thanks,
Brian
0
Comment
Question by:BrianEsser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 4

Expert Comment

by:johanvz1
ID: 17092012
Hi,

Do you want to block it for the one specific user on the whole network?. Or on the computer on which that user works?. Becuase if the users works on one system then it makes the task at hand much easier. Also what is the Operating System in use is it Windows XP SP2?.

Rgds,

Johan
0
 
LVL 9

Accepted Solution

by:
NYtechGuy earned 2000 total points
ID: 17092097
Brian-

If you are a local admin, this is easy.

1. Go to network connection properites, tcp/ip properties of the network card in use.
2. remove any entries in DNS servers.  In other words, leave the DNS fields BLANK.
3. Do a search on a file called HOSTS  (I think it is C:\windows\system32\drivers\etc)
4. Open this HOSTS file in notepad  (note:  it does NOT have an extension, and must remain that way)
5. You will see one entry that says 127.0.0.1     localhost
6. On the line below, following that format input the IP address and hostname (example:  intranet.yourdomain.com)
7. Repeat, and add entries for any websites that you want the client to get to (could be internal/intranet or external)

If user is not local admin, he cannot change any of these settings back.

Thanks,

justin
0
 

Author Comment

by:BrianEsser
ID: 17092116
Johan, On the computer where the (temp) user works please. Windows XP SP2 and we use MS ISA Proxy. When the ISA Proxy is disabled, a user would have access only to the Intranet, which is what I'm after. I can manually disable the ISA Proxy, but a savvy user could just re-enable it from the system tray. We are also using MS AntiSpyware Beta 1 and I might be able to use the advanced tools to take isatray.exe out of the startup directory. Any suggestions are appreciated.

Thanks,

Brian
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:BrianEsser
ID: 17092128
All users have local admin - Don't ask me why?
0
 

Author Comment

by:BrianEsser
ID: 17092184
Justin, I'm familiar with what you are suggesting, but without DNS I'm not sure if I'd break something else in the process. I'd have to do a lot of testing I don't have time to do at this point. Hoping something more simple can be done. However, even with local admin rights, your suggestion is complex enough that the user wouldn't be able to undo that which he has no idea has been done. We'll have to see what other options are available, but in the long run this may suffice.

Thanks,
Brian
0
 
LVL 4

Expert Comment

by:johanvz1
ID: 17092187
Hi,

You could use justins way except for that user local has admin righs and can just change it back. However depending on how knowledgable the user is you could always use the attrib command in the command prompt to hide the lmhosts further so that he wont be able to find it. Unfortunately with SP2 by default you can only really block incoming traffic unless you install a third party application like zonealarm but wouldnt suggest you do that.

Rgds,

Johan

0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17092219
BrianEsser-

If it is a member of the domain, I would also add an entry for any servers that the user must connect to:

- Including:

- Domain Controllers
- Exchange Servers
- File Servers

Please keep in mind you can ALWAYS login as local admin and put back to normal- so it shouldn't take that much testing as it is easily reversible.

Thanks,

justin
0
 
LVL 18

Expert Comment

by:Crash2100
ID: 17092265
Do you have access to the router?  Because you could just block the internet ports for that computer with the router, and that would prevent it from effecting internal traffic.
0
 

Author Comment

by:BrianEsser
ID: 17092318
Justin, You are correct, there are several other servers that would have to be included and once I identified them I could certainly perform the steps you've outlined.

One question though - We use DHCP - Wouldn't that provide the DNS server info every time the Network or PC was restarted? The Hosts file is looked at first regardless, but if DNS is available due to DHCP then if browser doesn't find in Hosts file, it will then use DNS if available right?

Thanks,

Brian
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17092342
You can either statically address the machine, or just set the IP address itself to automatically obtain and MANUALLY specify the DNS SERVERS.  In that case, you can just set the DNS server entries to 127.0.0.1 - which would of course give no response quickly.

Thanks,

justin
0
 

Author Comment

by:BrianEsser
ID: 17092437
Sounds like it would work just fine - Thanks for the help.

Take care,
Brian
0
 
LVL 3

Expert Comment

by:juandelacruz2001
ID: 17092440
I'm wondering, how about removing (empty) the default gateway entry?

Good luck...
0
 

Author Comment

by:BrianEsser
ID: 17092449
Crash, no access to routers. Thx ~B
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17092754
juan-

good idea
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question