Temporarily block internet access for a group of PCs

I was wondering if anybody has a clever way of temporarily blocking internet access on a group of PCs.

I'm hoping that somebody has been in my situation before and knows a pretty solution. What I have is a school network with 3 computer rooms, and I'm getting requests from the computer teachers for them to
have control over whether the PCs can get internet access or not. What they are looking for is really just an on/off switch for each room.

Is there a neat way of doing this? (Totally disconnecting the rooms not being an option, as they still need access to other stuff on the network)
Who is Participating?
bikvi_sibroConnect With a Mentor Commented:
A quick method that comes to mind is when in IE on the specific machine, go to Tools> Internet Options, select the "Connections" tab, and choose "LAN Settings".  Check "Use a proxy for your LAN" and put in some bogus settings.  This way, no one can get to webpages easily.  Also, if you can, set up a local or group policy so no one can change the settings.
Is this a simple p2p network, or do you have a Server and AD?
kearnejmAuthor Commented:
This is a fairly large network, with some servers and a Active Directory setup. I also have a shorewall/squid server as the gateway between the network and the internet.

Setting the proxy server to a junk value is of no use to me, as firstly it is easily possible to get around, and secondly it is not an easy on/off switch for a teacher. Even doing this via active directory group policy is a no-no as first it's not easy to switch on/off and secondly the update speed is too slow.

What I think is needed is a web control panel of some sort, but I'm not sure...
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

flscottConnect With a Mentor Commented:
You could put the three classrooms on 3 routers and give each teacher access to the rooms router config. Give them explicit directions on how to disable just internet access using router's GUI. This could be done with just a couple hundred bucks in switches/simple routers
kearnejmAuthor Commented:
fiscott, thanks for the answer, but I think that having to access router configuration pages is too far beyond the technical ability of most teachers. Even with explicit instructions in place, I think that there is far, far too much to go wrong...
Just to clarify, do the teachers want the computers to still be connected to the network when they cannot access the Internet, or is it OK for the computers to be completely disconnected from the network?
kearnejmAuthor Commented:
tree_d, yea, as per the original post " (Totally disconnecting the rooms not being an option, as they still need access to other stuff on the network)" they cannot be disconnected from the network.
For multiple rooms, I'd a common router like a DLINK DI-604 (example only, I might find another), I would bookmark directly to the filters page http://support.dlink.com/emulators/di604_reve/adv_filters.html and I would click on the preconfigured range of a particular room and either enable it or disable it.  5 clicks (from clicking on the book mark to OK) allow you to toggle any of a number of different rooms/configurations all on one webpage.  IP addresses/DHCP would be have to meticulously configured so each room was grouped by ipaddress.

I might even have two routers so the servers other important machines would route through the 2nd, while teachers could play with the cheapo second router that students/unknown would use.  The 2nd router would be restricted by mac addresses so only servers and a few workstations had access via that route.

You squid server sorta screws things up.  Because of the local proxy server, neither DNS nor the default route matter as Squid takes care of all that... as machines don't need routes or DNS if they use the proxy server.  Otherwise, I might want to restrict DNS access to control internet access, but that would break local area stuff.

Now what I would actually would be to configure the default route to one server configured as with RAS and NAT that acts as a router and the gateway.  I would configure a bunch of IPsec policies for each group that I wanted to control based on IP ranges which DHCP would have to carefully give out, then I would have a webpage that would execute a script to activate or deactivate an IPsec policy blocking access to the server and therefor the gateway.  This would be a good option if the squid was on a windows box and not on linux as this would fix the problem with squid.

To waste a budget, I'd get M$ ISAserver and replace the squid and use policies there.  IP addresses wouldn't matter so much and people and machines and windows groups could all be controlled.  This is hardly a simple way.
kadadi_vIT AdminCommented:
Yes using hardware firewall easy for you to configure like connect the ISp connection to WAN port of router ( if already using that's good .If not then purchase the internet router ( DLink,netgear ..etc) from router ethernet port connect the cable to switch ( 24 port ) or as per your requirement of connected pc's to switch and in router filter /firewall featured option are there and as per tymes said D-link DI-604 router you can configure the Ip addresses to block the internet access and also block the non standard sites in router configuration.
Means using Router configuration in IE like -


kearnejmAuthor Commented:
Thanks for the hardware ideas, but as the computer rooms aren't all that near each other, it would require 3 new routers to do this, and wouldn't be terribly pretty. Beside it means having to give teachers admin access to routers which I'm not overly wild about.

tymes, how exactly would an IPSec solution work. i have active directory and such, but almost no experience with IPSec. Do you know of any website that would explain how to do it?
kadadi_vConnect With a Mentor IT AdminCommented:
tymesConnect With a Mentor Commented:
Well, I can't find any of my own examples, but to just quickly tell you want to do...

run secpol.msc on the server in question that handles the routing.  You would want to create a new IPSEC policy where the default is allow then a series of IPSEC FILTER LISTS containing IP FILTERS of subnets or IP addresses of individual computers that you want to allow or deny.  You would do this all using the gui and develop the policy... ultimately, you might have 3 IP FILTER LISTS with the subnets (recommended).  In the GUI you would select the IP FILTER LIST and either Permit or BLOCK.

Actually, let's just do it and list the instructions... run secpol.msc. go down to "IP Sec Pol on Local Comp".  Create new IPSEC Pol to enter wizard..  Name it "NETTOGGLE_POL", next till we can add some rules...
so add a rule that will control access for one group of computers: add rule next next to get to IP Filter Lists... create a new filter list, add mirrored rules from My IP address to the Subnets or IP addresses of individual computers (one subnet should be good if you planned DHCP properly).  Call this List "ROOM1".
Back at the IP Filter list, select the new ROOM, then next to the Filter Action, and add a new FilterAction called "ROOM1_ACTION" and configure it to block then select it. OK, we're done room1
Back at the Rules page, add "ROOM2" configure the IP Filter List with the subnet and add a new Action ROOM2_ACTION.  Select BLOCK.  Repeat for ROOM3.  I just noticed this will be the easiest way to script later if each room list had it's own action.

You can create a new Exemptions IP Filter list with server and teacher IP addresses and Permit those all the time.

The GUI aspect is configured, apply the Policy and all the rooms should be blocked.  You can edit any of the rules and change the Filter Action from Permit to Block to use the GUI to toggle rooms.

At this point we can now start scripting this... so a webpage with a bunch of buttons that toggle this is needed.  

For a command line
we can just use the commands...
netsh ipsec static set filteraction ROOM1_ACTION action=BLOCK
netsh ipsec static set filteraction ROOM1_ACTION action=PERMIT
netsh ipsec static set filteraction ROOM3_ACTION action=BLOCK
etc to easily and very logically just change the filter actions... (easier than changing RULES as rules can't be referenced by name and need to be referenced by # or GUID)

netsh ipsec static show filteraction ROOM1_ACTION
netsh ipsec static show filteraction ROOM2_ACTION
netsh ipsec static show filteraction ROOM3_ACTION

displays the current status.

A webpage could now be created that will manage the toggling on or off of this stuff.

For information on this look at technect or otherwise google some of they keywords you may have noticed like netsh and secpol.msc.  I don't have any references on hand, I fly by the seat of my pants.

All Courses

From novice to tech pro — start learning today.