Blocking Websites for Users...

IT Tech
IT Tech used Ask the Experts™
I have a bit of a challenge here... my client wants to block access over the entire network to sites such as: facebook, myspace, etc....

We have a WatchGuard 550 Core firewall in place, its fairly new as well... The Webblocker subscription was a 3 month trial that was in place by default and has expired.  Now that the need has arisen to block sites i find it hard to believe that the "only" way according to Watchguard is to purchase this "Webblocker" service add on that is $670.00.

Is there any 3rd party software I can install on client machines or via group policy that would stop users from going to certain sites?  Any ideas would be greatly appreciated!

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You can make a change in DNS for the websites in question

If all your systems use a windows based DNS server, which I assume they do, you can create DNS entries for these websites so that users are directed to a website of our choosing, possibly a company intranet. If you need more assistance, make a comment :)


That sounds great, all client machines point to the domain controller for DNS resolution.  Domain controller is running Windows 2003 R2 Standard.  If you could tell me how to add/mod the dns to redirect for example that would be great!  Thanks.
Alan HardistyCo-Owner
Top Expert 2011

You can also setup a login script that copies down a hosts file with those sites listed that point to and places the file in c:\windows\system32\drivers\etc
This will work just as effectively as the DNS way - I guess it depends on which one is easiest one to implement.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


I would like to just do the DNS redirects if anyone can tell me how to do that?  Thanks
if you just created new forward-lookup zones for each of the domains you want to block, then you could add the hosts in there with the address of

the painful part will be creating all those zones...I'm not sure if there's a good way to automate that one.

one way would be to create one zone, and then take the .dns file that gets created and copy and modify it over and over...then restart the DNS server and it should see all the zone files

Make sure you make the dns server authoritative for the zone, here is a MS article to setup DNS
Top Expert 2007

One more solution you can try is blocking sites at the firewall level; for this however you would need to put the IP addresses and this is quite a job [as the mirrors keep coming up for heavily used sites and it is a challenge to keep up with them]. Also, if certain websites uses non-standard port like 8080 or HTTPS you would need to either have different service for each port/protocol pair or one consolidated service with all port/protocol [adding port/protocol in an existing service is again tedious as you would need to delete and then re-add the service].

Thank you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial