[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1362
  • Last Modified:

limit a pc to certain web sites using gpedit.msc on XP

I would like to limit the computer, not just certain users.
Numberr of sites will total <20
0
lots2learn
Asked:
lots2learn
  • 6
  • 5
  • 4
  • +1
3 Solutions
 
nappy_dCommented:
If you do this you will be limiting ALL user including any administrator that wants to use the computer.  Is this something you still want to do? or would you like a differing solution?
0
 
evan2645Commented:
What you can do is create an IPSec policy that denies all communications with the IP addresses of the sites in question. Bascially what you will do is in IPSec create an Allow rule for all traffic, then create a deny rule for the websites you want to block, and enable the policy. Let me know, if you need I can provide a step-by-step
0
 
lots2learnAuthor Commented:
nappy d  - yes this is what I want for this one computer

evan2645- I am afraid I do not know about IPSec policies.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Fatal_ExceptionCommented:
There might be an easier way than using a GPO to accomplish this..  We have kiosks setup in our lobby, and I have installed a free program from MS called Steady State..  works great, and I can set it to allow only certain web addresses to be opened..  (like our corporate site)..  

Free from MS:

http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

Or, if you don't mind paying..  Browse Control was one that I looked at, but ended up with the above..

http://www.codework.com/bcontrol/product.html

FE
0
 
nappy_dCommented:
I was just about to post steady state as an option ;)

Yes as Fatal)Exception suggests, Steady State will do this for you too.
0
 
Fatal_ExceptionCommented:
Yes, nappy, as a locked down host, it does a wonderful job!
0
 
evan2645Commented:
The problem with that is you have to touch every box. If you have many clients, that is a headache.

The good news is you can implement your IPSec policy through Group Policy, and push it down to any group of pc's you want. In gpedit, you can find the IPSec page from Computer settings > Windows settings > Security settings > IPSec policy

below is a good step-by-step with pictures showing how to block web browsing using IPSec. The only difference in your setup is that when you create the IP Filter list, instead of specifying 'any' for destination IP address, you select an IP address of a site which you wish to block. You can add as many IP rules as you like.
http://www.petri.co.il/block_web_browsing_with_ipsec.htm

To find the IP address(s) that a website is being hosted on, open a command prompt and run the following:

nslookup thesiteyouwanttofind.com

I've done this before. IPSec is solid and proven, and it is always useful to have a policy already in place in case you have the need to add additional rules later. It also creates a single point of management for your blacklist.
0
 
Fatal_ExceptionCommented:
evan..  the thing is, he indicated that this would only apply to one computer, not multiple hosts in a Domain..  Your solution is great, but to do this, he must be running a Domain Controller, and know a little about AD and GPOs..   might be good as a learning tool, but if it needs to be implemented in a timely manner..  well, you see where I am heading..  

Since it is only one computer he is dealing with, he can absolutely lock it down with Steady State, and does not have to go through a learning curve on Domains, or installing a DC Server...  

JMHO..  :)

FE
0
 
evan2645Commented:
you dont have to have a domain to do that. just microsoft windows.

anyways, i misread the 'just this one computer' post. regardless, i always prefer group policy / ipsec for kiosk type situations, because lets face it: who HASNT been able to sit down at a kiosk and manage to bypass the software running on it? :)

Actually, I took note of the steadystate recommendation as I had never heard of it before, but my theory is why build a cage when you can build a mote?
0
 
lots2learnAuthor Commented:
Thanks to all for the SteadyState idea.  I tried it on the subject computer, but logon is blocked by 'NetWare for Clients' ; addidtionally, as with the gpedit method, SteadyState only allowed one site.  The semicolon method did not seem to help, with or without a space after the punctuation.  Directions said to eliminate the http:\\.

Maybe I just need to get new employees!
0
 
evan2645Commented:
the 'gpedit method' allows for any number of IP addresses you like. All you have to do is repeat step 6 in the link i sent you when you click add. Enter the first destination IP address yo uywant to block, then press ok ok. After you have entered the first address, just select ADD again (instead of next) to add another.
0
 
evan2645Commented:
see the pic below. Add will take you to the add IP wizard. You run through that wizard once for every IP you want to add. After you get back to the page in the pic, you should see that IP you configured in the box at the bottom. Instead of clicking next, just click ADD again to add another IP to that rule.

http://www.petri.co.il/images/ipsec_filters2.gif
0
 
Fatal_ExceptionCommented:
You should give IPSec a try..  but if you want, I can take a look at my Kiosk setup and see what I did to setup multiple sites.. (I think we are allowing just our internal Intranet Public site, but it contains many different links..  We also use Novell, and that was not a problem either...

As to breaking through the Steady State, I think you will find that it is a very tough nut to crack!  I am not a professional hacker, but have been doing this for a while, and I think I would have a tough time cracking it..   I can get around an IPSec policy, but not SS...  :)

FE
0
 
lots2learnAuthor Commented:
Evan2645 and Fatal Exception,
What am I missing?  I greatly appreciate the detail and the references, but as I read them, I have to block web sites (as they become abused) rather than block all EXCEPT a select few that are used at least weekly for business.  Did I misinterpret your references?  If so, I apologize and will accept your next direction.
L2L
0
 
Fatal_ExceptionCommented:
Did you get to the IPSec Policy Window?

If not, here are the steps to evan's example above:

Start > Run > mmc (ok) - opens up Console1

 (Now you need to add the IPSec Management snap-in)

File > Add and Remove Snap-in
Add Button > IP Security Policy Management > Close button > OK Button

Now to configure it!

Right Click on IP Security Policies Snap In and choose Manage IP Filter Lists

(Opens another window)

This is where you configure your 'IPs'..  as per Evan's post above ^ .

Hope that helps!

FE









0
 
lots2learnAuthor Commented:
Thanks,
I'll give it a try tomorrow or Wednesday.
L2L
0
 
Fatal_ExceptionCommented:
Yes, and with IPSec, there is a little bit of a learning curve..  kind of why I suggested SS...  but learning is always a good thing!  :)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now