We are presently blocking Facebook on our network (25 pc's) using the DNS method (creating a zone for facebook.com pointing to 127.0.0.1). But now we need to allow access to it, except for a few pc's.
Our router is a Pix 501 v6.3. Domain controller and DNS server is a Windows 2003 server Standard.
How would you recommend doing this ?
So far, we thought about the following options:
1) using ACL permit/deny commands on the Pix. Does facebook continuously change IP addresses ?
2) use openDNS as our Forwarder in our DNS server: wouldn't that be a allow or deny all option ? Not good for us if it's the case.
3) use 3rd party software. ex: Websense. Does Websense work with a Pix 501
4) remove the facebook.com zone in our DNS server. This would allow access to the site, but then how do we block it on these specific pc's ?