Solved

Temporarily block internet access for a group of PCs

Posted on 2007-04-02
15
1,472 Views
Last Modified: 2013-11-15
I was wondering if anybody has a clever way of temporarily blocking internet access on a group of PCs.

I'm hoping that somebody has been in my situation before and knows a pretty solution. What I have is a school network with 3 computer rooms, and I'm getting requests from the computer teachers for them to
have control over whether the PCs can get internet access or not. What they are looking for is really just an on/off switch for each room.

Is there a neat way of doing this? (Totally disconnecting the rooms not being an option, as they still need access to other stuff on the network)
0
Comment
Question by:kearnejm
  • 4
  • 2
  • 2
  • +3
15 Comments
 
LVL 4

Accepted Solution

by:
bikvi_sibro earned 125 total points
ID: 18838856
A quick method that comes to mind is when in IE on the specific machine, go to Tools> Internet Options, select the "Connections" tab, and choose "LAN Settings".  Check "Use a proxy for your LAN" and put in some bogus settings.  This way, no one can get to webpages easily.  Also, if you can, set up a local or group policy so no one can change the settings.
0
 
LVL 2

Expert Comment

by:flscott
ID: 18839690
Is this a simple p2p network, or do you have a Server and AD?
0
 

Author Comment

by:kearnejm
ID: 18839881
This is a fairly large network, with some servers and a Active Directory setup. I also have a shorewall/squid server as the gateway between the network and the internet.

Setting the proxy server to a junk value is of no use to me, as firstly it is easily possible to get around, and secondly it is not an easy on/off switch for a teacher. Even doing this via active directory group policy is a no-no as first it's not easy to switch on/off and secondly the update speed is too slow.

What I think is needed is a web control panel of some sort, but I'm not sure...
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Assisted Solution

by:flscott
flscott earned 125 total points
ID: 18840492
You could put the three classrooms on 3 routers and give each teacher access to the rooms router config. Give them explicit directions on how to disable just internet access using router's GUI. This could be done with just a couple hundred bucks in switches/simple routers
0
 

Author Comment

by:kearnejm
ID: 18840551
fiscott, thanks for the answer, but I think that having to access router configuration pages is too far beyond the technical ability of most teachers. Even with explicit instructions in place, I think that there is far, far too much to go wrong...
0
 
LVL 4

Expert Comment

by:tree_d
ID: 18841687
Just to clarify, do the teachers want the computers to still be connected to the network when they cannot access the Internet, or is it OK for the computers to be completely disconnected from the network?
0
 

Author Comment

by:kearnejm
ID: 18841920
tree_d, yea, as per the original post " (Totally disconnecting the rooms not being an option, as they still need access to other stuff on the network)" they cannot be disconnected from the network.
0
 
LVL 7

Expert Comment

by:tymes
ID: 18845648
For multiple rooms, I'd a common router like a DLINK DI-604 (example only, I might find another), I would bookmark directly to the filters page http://support.dlink.com/emulators/di604_reve/adv_filters.html and I would click on the preconfigured range of a particular room and either enable it or disable it.  5 clicks (from clicking on the book mark to OK) allow you to toggle any of a number of different rooms/configurations all on one webpage.  IP addresses/DHCP would be have to meticulously configured so each room was grouped by ipaddress.

I might even have two routers so the servers other important machines would route through the 2nd, while teachers could play with the cheapo second router that students/unknown would use.  The 2nd router would be restricted by mac addresses so only servers and a few workstations had access via that route.

You squid server sorta screws things up.  Because of the local proxy server, neither DNS nor the default route matter as Squid takes care of all that... as machines don't need routes or DNS if they use the proxy server.  Otherwise, I might want to restrict DNS access to control internet access, but that would break local area stuff.

Now what I would actually would be to configure the default route to one server configured as with RAS and NAT that acts as a router and the gateway.  I would configure a bunch of IPsec policies for each group that I wanted to control based on IP ranges which DHCP would have to carefully give out, then I would have a webpage that would execute a script to activate or deactivate an IPsec policy blocking access to the server and therefor the gateway.  This would be a good option if the squid was on a windows box and not on linux as this would fix the problem with squid.

To waste a budget, I'd get M$ ISAserver and replace the squid and use policies there.  IP addresses wouldn't matter so much and people and machines and windows groups could all be controlled.  This is hardly a simple way.
0
 
LVL 17

Expert Comment

by:kadadi_v
ID: 18850573
Yes using hardware firewall easy for you to configure like connect the ISp connection to WAN port of router ( if already using that's good .If not then purchase the internet router ( DLink,netgear ..etc) from router ethernet port connect the cable to switch ( 24 port ) or as per your requirement of connected pc's to switch and in router filter /firewall featured option are there and as per tymes said D-link DI-604 router you can configure the Ip addresses to block the internet access and also block the non standard sites in router configuration.
Means using Router configuration in IE like -http://192.168.0.1

Regards,

V.K.
0
 

Author Comment

by:kearnejm
ID: 18850728
Thanks for the hardware ideas, but as the computer rooms aren't all that near each other, it would require 3 new routers to do this, and wouldn't be terribly pretty. Beside it means having to give teachers admin access to routers which I'm not overly wild about.

tymes, how exactly would an IPSec solution work. i have active directory and such, but almost no experience with IPSec. Do you know of any website that would explain how to do it?
0
 
LVL 17

Assisted Solution

by:kadadi_v
kadadi_v earned 125 total points
ID: 18851463
0
 
LVL 7

Assisted Solution

by:tymes
tymes earned 125 total points
ID: 18854652
Well, I can't find any of my own examples, but to just quickly tell you want to do...

run secpol.msc on the server in question that handles the routing.  You would want to create a new IPSEC policy where the default is allow then a series of IPSEC FILTER LISTS containing IP FILTERS of subnets or IP addresses of individual computers that you want to allow or deny.  You would do this all using the gui and develop the policy... ultimately, you might have 3 IP FILTER LISTS with the subnets (recommended).  In the GUI you would select the IP FILTER LIST and either Permit or BLOCK.

Actually, let's just do it and list the instructions... run secpol.msc. go down to "IP Sec Pol on Local Comp".  Create new IPSEC Pol to enter wizard..  Name it "NETTOGGLE_POL", next till we can add some rules...
so add a rule that will control access for one group of computers: add rule next next to get to IP Filter Lists... create a new filter list, add mirrored rules from My IP address to the Subnets or IP addresses of individual computers (one subnet should be good if you planned DHCP properly).  Call this List "ROOM1".
Back at the IP Filter list, select the new ROOM, then next to the Filter Action, and add a new FilterAction called "ROOM1_ACTION" and configure it to block then select it. OK, we're done room1
Back at the Rules page, add "ROOM2" configure the IP Filter List with the subnet and add a new Action ROOM2_ACTION.  Select BLOCK.  Repeat for ROOM3.  I just noticed this will be the easiest way to script later if each room list had it's own action.

You can create a new Exemptions IP Filter list with server and teacher IP addresses and Permit those all the time.

The GUI aspect is configured, apply the Policy and all the rooms should be blocked.  You can edit any of the rules and change the Filter Action from Permit to Block to use the GUI to toggle rooms.

At this point we can now start scripting this... so a webpage with a bunch of buttons that toggle this is needed.  

For a command line
we can just use the commands...
netsh ipsec static set filteraction ROOM1_ACTION action=BLOCK
netsh ipsec static set filteraction ROOM1_ACTION action=PERMIT
netsh ipsec static set filteraction ROOM3_ACTION action=BLOCK
etc to easily and very logically just change the filter actions... (easier than changing RULES as rules can't be referenced by name and need to be referenced by # or GUID)

netsh ipsec static show filteraction ROOM1_ACTION
netsh ipsec static show filteraction ROOM2_ACTION
netsh ipsec static show filteraction ROOM3_ACTION

displays the current status.

A webpage could now be created that will manage the toggling on or off of this stuff.

For information on this look at technect or otherwise google some of they keywords you may have noticed like netsh and secpol.msc.  I don't have any references on hand, I fly by the seat of my pants.

0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
All of the resources available today make learning a new digital media easier than ever-- if you know where to begin. This is a clear, simple guide to a few of the basic digital art mediums and how to begin learning them on your own.
This video demonstrates how to use each tool, their shortcuts, where and when to use them, and how to use the keyboard to improve workflow.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question