We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


best way to filter internet traffic?

jmoriarty asked
Medium Priority
Last Modified: 2013-11-16

Having a bit of a problem with my employees wasting time browsing the internet, and going to sites they're not supposed to and so forth. What's the best way to essentially block all internet traffic except for certain sites?

Basically I want to just block everything except for an "allowed" list but I can't just block port 80 because I still use things like logmein, slacker, the company website, etc.

Watch Question

What sort of router do you use??
Do you use SBS server, windows server 2003 ??


Sorry, I should've specified -- standard Windows XP on 4 machines, fairly small scale, and the router is just a basic linksys router. wrt54gl I believe.  can think of it more as a small home network, but used in a business/small office environment with little supervision.

best way if you want ... get a list of domains you want blocked.

eg - facebook.com / myspace.com

and edit the hosts file


now open this with notepad.  and follow the instructions and example for local host on that machine.

make all the blocked domains as the ip address and those domains will not resolve.

if you set this up as a batch file on your machine to copy the blocked and unblocked version of that hosts file you could block and unblock traffic when wanted to, (by using admin share if your on a domain)

eg \\computer1\c$\windows\system32\drivers\etc\hosts

i have it setup as a scheduled task on the server, like the following

Block - 9am / 9:15am / 9:25am /2pm / 2:20pm / 2:25pm - multiple blocks in case computer is off
unblock - 12pm / 5pm.

that gives them 2 hrs during lunch time to at least have a look and keep them moderately happy.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Jaymy this is what the author is asking -

"Basically I want to just block everything except for an "allowed" list but I can't just block port 80 because I still use things like logmein, slacker, the company website, etc."

He doesn't want a block list but he only wants to open a certain no. of websites for all users. So hosts file is not an option. Secondly, he doesn't have a server either (by the looks of it).


What you can do instead is use the principle of HOSTS file to resolve hostnames to IP ADDRESSES instead of  using DNS server.

1. Give each PC a static IP address with a FAKE DNS address like
2. Now as mentioned above by JAYMZ, open up c:\windows\system32\drivers\etc\hosts in notepad on each PC.
3. Get your list of websites that you would like them have access to and ping them to get the IP address, put the following in the hosts file corresponding to the IP address     experts-exchange.com   news.com

That's it. Job done you have your allowed list and no one can browse anything else.

If any more questions let us know.

Look at Squid Proxy.
A proxy is really the only fool proof way.

The above can easily be bypassed.

Remember to activate the hosts file you will need to do an "ipconfig /flushdns" command

Mr Jemson, nothing is fool proof mate. We are talking about NON IT SAVVY people here anyway

A bit of googling and they will be able to get around the hosts file within 10 minutes.
A proxy is AS fool proof as it gets.

hosts file ... lol ... my office hasn't ... why try if you know its been blocked for a reason ... you bring bad attention to yourself if you waste more work time getting around it you'll most probably get fired ... sorry turning into a forum now...

a Proxy would of been my next suggestion.  Mr Jemson is on the ball.

Only an idiot would put a proxy for a network of a few XP computers.

Everyone is not like you Mr. Jemson ;-). Most people would not even know about its existence. If you are too paranoid, I suggest putting deny permissions for all users on the hosts file.
But this is going to extreme level as next you will say that people working as receptionists know how to crack permissions too.


A proxy is a single point of administration - and eliminates the local PC as being the blocking device for the websites - so it's irrelevant if the user finds out how to bypass the hosts file or not. It can also provide some acceleration via caching. No need to configure new workstations because everything is going through the proxy.


"Only an idiot would put a proxy for a network of a few XP computers."

....doesn't sound like Mr Jemson's the idiot for suggesting a logically sound idea.

I think you missed the question. How feasible it is to put a proxy for a network of 4 computers.
Proxy is obviously the best solution but you have to take into account the size of the network and the IT budget in place.

$200 - $300 old second hand P4 with 1GB of ram, 1 - 2 hours configuration.
I don't know what is the scale of your lost due to waste of time on the internet by your employees.
But If you have a certain budget to regain control over your network, then I suggest that you take a close look at SpectorSoft.
Specially Spector 360.

Bit expensive for small businesses, but still - priceless !

I am using this (and previous stone age versions) for the last 8 years or so. Nothing come close to it.

You know what was done when how and by who anytime with stats fully detailed and you can even pin point to one very specific user to "investigate" deeper.

And... It's fully stealth...

Client monitoring tool is currently running on Win XP Pro on a PIII 1000Mhz with 756M RAM butterbox (yeah!) - No slow down...

All the rest is cheap sh... asking for mountain of time to configure and figure the output results OR is hell way too expensive.

That's my best call for you.

Good luck !

Wow... I should have read myself before posting...

I am french and my english tonight simply suck... But I think you can still understand !

My apologies to you all.


The only reason I'm against a proxy is I remote admin these machines primarily, so adding an extra hardware layer isn't really ideal. The host file option should work well, the people I have manning those machines are extremely rudimentary level PC skills, and, as mentioned, if they're purposely trying to circumvent that measure even after warnings/policy adjustments and so forth, they don't value their employment status very much.

The Spector 360 program looks very nice as well, but the price point is a bit high at the moment. It's definitely something that'd solve my entire problem in one fell swoop, so it's something to look into when finances permit.

As a side/final note, something else I found that looks interesting is Internet Access Controller, by Gearbox software, it's only $15.00 and looks like it may do similar to what I'm after as well.

Thank you for all the comments, and the help!

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.