Block all but one website in Internet Explorer 8 using Group Policy

PhilipAnderson
PhilipAnderson used Ask the Experts™
on
Hi

I am a teacher running a classroom environment with a Win2003 server running IE7.

My class runs XP in a domain which I have complete control over.  

The clients are on IE8.

Is it possible to force the Internet Explorer only to go to one site (ie www.measureup.com) and no other?

I have tried playing with Content Advisor to no avail, either locally or using Group Policy.  Obviously the solution I am needing is a Group Policy setting.

Thanks

Philip
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi, there is a way to do this that is commonly used. This is from a guide at komando.com

1) First, make sure that you take off all browsers except IE and block users from downloading/installing new software. This will only work for IE.

2) Next you need to write a special little text file. The file will configure Content Advisor to block all Web sites. Then you'll make one exception for your site. It’s not hard to do.

Start with Notepad. To open it, click Start>>All Programs>>Accessories>>Notepad. Then copy and paste the following:

((PICS-version 1.0)
(rating-system "http://www.microsoft.com")
(rating-service "http://www.microsoft.com")
(name "Noaccess")
(description "This will block all sites.")
(category
(transmit-as "m")
(name "Yes")
(label
(name "Level 0: No Setting")
(description "No Setting")
(value 0) )
(label
(name "Level 1: No Setting")
(description "No Setting")
(value 1) ) ))

After pasting in the text, click File>>Save As. Under "Save in:," select the C: drive. Select the Windows folder. Then select the System32 folder. That's where you'll be saving the new file.

Under "Save as type," select All Files. Under "File name," type in the name "noaccess.rat" (without the quotes). Finally, click Save.

Now you can start Content Advisor. From Internet Explorer, click Tools>>Internet Options. Select the Content tab. Under Content Advisor, click Enable. Select the Approved Sites tab.

Type in the Web address of your site. Windows understands wildcards (*). So you don't have to specify each page of your site. For example, instead of http://news.yahoo.com, enter *yahoo.com. After typing in the address, click Always. Now your site is listed as the only approved site.

Next, create a password for Content Advisor. Otherwise, someone might disable it and start surfing away on the Internet. Select the General tab. In Content Advisor, select the General tab. Under "Supervisor password," click Create Password.

You can type in a password and a password hint. The hint can help if you forget your password later. And it's a good idea. Without the password, you won't be able to access Content Advisor without some creative measures. When you finish, click OK.

Under "Ratings systems," click the Rating Systems button. Select any items listed and click Remove. Then click Add and pick the noaccess.rat file that you made earlier. Then click OK. You'll be at the General tab again.

Finally, make sure that the checkboxes under "User options" are not marked. Then click OK.

Now you can test the new settings. Try your Web site to make sure it works. Then try going to other sites. Internet Explorer will display a warning that other sites are not allowed.
Don't worry the solution is right here.

My friend the solution of you problem is ISA server 2000 or 2004 in this you can create web content filtering rule to make sure that your students can't access an unauthorized site. But if you do not want to get into this whole thing then there is another small but effective solution which is as follows. (But still i strongly recommend you to take the first solution because the second one is quite simple but you have to manually restrict the sites one by one by there URLS which is quite time taking). The choice is yours.
 
1.) Open “Run” from the start menu (or press WinKey + r). Just copy paste the following path and hit ENTER.

notepad %windir%\system32\drivers\etc\hosts

Alternately, go to C:\Windows\System32\Drivers\Etc and find the file “hosts”. Open that file in Notepad.

2.) When this hosts file is opened in Notepad, at the end of the file you will see something like “127.0.0.1 localhost”.

3.) Under “127.0.0.1 localhost” just add another website URL that you want to block.

For Example:-

127.0.0.1 localhost
127.0.0.2 www.youtube.com
127.0.0.3 www.facebook.com etc

4.) Make sure every time you add another website, the last digit of the address 127.0.0.x should not be the same.

5.) Save the file and exit.

So, here you go. Restart your browser if it is opened and changes will take place immediately.

The good thing is that no message, no pop ups nothing will be displayed when someone tries to open a blocked website. Your browser will just fail to open those websites without any error messages.

for further help in any regard I like to invite you at http://farjadarshad.blogspot.com

Commented:
How do you connect to the internet? If you do have a Squid like proxy in-between, the best solution is to implement an ACL at the proxy.
Using this solution, no matter what browser some one uses, etc, requests only to the domain specified will be allowed! Here is how it is to be done:

# File: /usr/local/etc/allowed-sites.squid
www.siteyouwanttoallow.org

# File: /usr/local/etc/restricted-sites.squid
www.siteyouwanttodeny.com
www.siteyouwanttodeny2.com
www.siteyouwanttodeny3.com

Just as a bonus, if you want to block MP3's etc., here is an ACL for it:
acl BlockExt url_regex -i \.mp3$ \.asx$ \.wma$ \.wmv$ \.avi$ \.mpeg$ \.mpg$ \.qt$ \.ram$ \.rm$ \.iso$ \.wav$ \.exe$

acl webRadioReq1 req_mime_type -i ^video/x-ms-asf$
acl webRadioReq2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl webRadioReq3 req_mime_type -i ^application/x-mms-framed$
acl webRadioRep1 rep_mime_type -i ^video/x-ms-asf$
acl webRadioRep2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl webRadioRep3 rep_mime_type -i ^application/x-mms-framed$

acl WMP browser Windows-Media-Player/*

http_access deny BlockExt !UtentiGold
http_access deny WMP all
http_access deny webRadioReq1 all
http_access deny webRadioReq2 all
http_access deny webRadioReq3 all

http_reply_access deny webRadioRep1 all
http_reply_access deny webRadioRep2 all
http_reply_access deny webRadioRep3 all

These can be good start up guides for you:
http://www.cyberciti.biz/faq/squid-content-filter-block-files/
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

My friend, Philip Anderson, whatever Phateon said is just another solution for your problem. He is talking about hardware solutions or linux based solution and i don't think an institute would invest that much money. But what i have told you is the most easiest and cheapest solution. I am not just defending my answer what i am saying is you can easily search ISA server's implementation guide and ISA server's setup torrent on internet. The site is
http://isaserver.org

and for ISA server torrent

http://torrentz.com
http://btmon.com
http://isohunt.com

Now the choice is yours. What direction you chose!
Michel PlungjanIT Expert
Top Expert 2009

Commented:
What do you mean "invest"? an old pentium 3 with linux and squid will not break anyone's budget

Commented:
The reason why I suggested that solution is because it is always better to have the control in your hands (as you know the dangers/use of such rules) rather than it lying with the end user who might not know the complications of such use.

Author

Commented:

Hi

To all I am delaying making a reply simply due to the furious nature of my work.  

As far as I can understand it solution 1 by LondonTown123 is clearly the right solution because I did specify group policy was a criteria.

As regards hosts file I am managing a classroom and updating this file (which is a local, not a group policy solution) would not be the answer although I am familiar with hosts and accept that it would be the perfect solution for one or two PCs.  

Thirdly the proxy solution is ideal but I already have a proxy running ISA which has strict rules set and only allows permitted websites.  

What I am trying to do is to narrow down the ability of my students to be able to browse to just one or two sites of my choice, regardless of the broader settings already in place set by others on our proxy (to which I have no access to change anyway, so that solution is out).  But again I accept if I DID have access to a proxy it too would provide a better solution than group policy.  You were not to know that, so thanks for that response and the time you invested in writing out that solution!

Finally to Phateon I really appreciate your solution - I love Linux (run two Ubuntu PCs at home!) and you have put something in my mind which I would like actually to try out myself, so thanks for that non-Windows alternative which is great!

I had my top student try and implement LondonTown123 solution but it did not work and my student is still working on this as a project.  As and when we get to the bottom of it and get it all working, I will update the post and confirm the correct solution!

To all who responded - I really appreciate your help and input, and you are all right in your own way.

Thanks !

Phil

Author

Commented:
Hi

My students have followed your instructions (LondonTown123) but although the group policy appears to apply, when I log into a client the policy does not effect ie students can still browse all websites permitted on the proxy already.  Are there any troubleshooting steps?

Thanks

Phil Anderson

Could it be that I have a Domain Controller policy running that restricts Internet Explorer?
Hi, does the group policy work on the local machine (server) that you have set it up on?

Author

Commented:
Hi LondonTown123

Thanks for that - I checked and indeed the students had not actually enabled the content advisor to be actually active on my domain controller.  I turned it on and updated group policy with the import of settings from the server.  Looks to be working 100%!

I will do my final checks soon and close the case, after some testing.

Thank you SO MUCH - it REALLY WORKS!

Philip

Author

Commented:
Hi LondonTown123

I am grateful to your response to my question, and the prompt re troubleshooting which also got me 100% working!

You have the correct answer and my undivided applause - sorry it took so long to test but I got there in the end.  I have fully tested your solution and it works like a dream to constrain my students to visit ONLY THE WEBSITES WHICH I PERMIT which is a dream for me, you would not believe!!!

Thank you again for your time and effort in helping me in this solution.

Philip Anderson
Hi Phil,

You're welcome

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial