We help IT Professionals succeed at work.

block facebook (some PC's)

I have been asked to block facebook & myspace on a Windows Svr 2003 domain. With the exception of 7 wrkstns.  Essentially, all employees are to be blocked (37 PC's) and the 7 Doctor's must still have access to Facebook. What is my best option??  I have seen fixes that block ALL PC's only.
Comment
Watch Question

Technology and Business Process Advisor
Most Valuable Expert 2013
Commented:
I would suggest one solution might be to create a DNS entry for the facebook.com domain in your existing DNS server - when users attempt to access the site, it should provide "page not found" type errors.

For the doctors who need make a host file entry (this is a PER COMPUTER not per user solution).

Otherwise, you might need third party software to do this (though you could do a per user host file - without the DNS server entry - and a script to copy it - problem with that is that your users would need admin access to the workstations, something they shouldn't have, as the hosts files require admin access to overright.  (though I suppose you could change permissions on them... and of course, a savvy user who found out you were blocking by host file would be able to get around this).

Another thing you could do is a firewall rule set... that might work... but that can be tricky.  Bottom line, when you want granular control like this, it's either going to take a lot of work, or cost some up-front money for software/network equipment that can do this.

Commented:
The cheapest way would be to use OpenDNS.

www.opendns.com

Since Feb 2010 they have offered this functionality (although its around $5 per user, i dont think the free version does it).

Otherwise you are looking at installing a proxy server. There are tons available some ranging from free (open source) to hosted solutions.

But for only 37 users....

I would keep it real easy. Set up the default DNS settings on your Server box to OPENDNS basic (free). And then manually configure the 7 pcs to your existing DNS settings.

Or you could create a firewall rule (if you have one) to create an ACL for those doctors that allows them access to facebook.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
> Set up the default DNS settings on your Server box to OPENDNS basic (free).
> And then manually configure the 7 pcs to your existing DNS settings.

RageTech - please clarify - what do the server DNS settings (do you mean FORWARDERS) have to do with this?  Further, what would manually configuring DNS on 7 pcs do?

Did you mean to suggest that the 30 or so PCs should use openDNS as their only DNS server and then the 7 PCs the doctors use should use the existing server DNS?  You do realize this is a Windows Domain, right?  So you understand why this would be a really bad idea, right?

Steve AgnewSr. Systems Engineer

Commented:
A Microsoft solutions would proably be to use parental controls in Internet Explorer.. but that would probably be ugly.. you best route would be if you have decent firewall/router.. you need to get the doctors pc's in a different IP range (probably do them static since there are less of them) and make sure the other computers are in a different dhcp zone then put a rule into the firewall to block the facebook/myspace IP's but not the range the doctors pcs are in.. Soncwaill TZ100 is an inexpensive router/firewall that has this functionality and I think they are less than $300
ftv34p4sOwner

Author

Commented:
WOW - I am impressed.  4 possible solutions in 90mins!!!!  All of you sound pretty much on the same playing field.  I will try to implement a solution this evening & get back to you with the results.  Again, to each of you - thanks for the direction.

Commented:
try www.untangle.com

Very easy to implement. Full controll and full reporting
ftv34p4sOwner

Author

Commented:
What we did is create a hosts file entry causing Facebook/MySpace/Yahoo/AOL to point to "127.0.0.1     www.facebook.com    www.myspace.com ".  We then used "psexec" to remotely install to each of the wrkstns that needed the block entry (omitted the doctors pc's).  Tested and it works fine.  Our user base is pretty non-technical; so we do not fear any modifications being made. But, we will monitor usage. Thanks for steering me in the right direction.