Allow facebook on a Pix 501 except for a few users

ndidomenico used Ask the Experts™
We are presently blocking Facebook on our network (25 pc's) using the DNS method (creating a zone for pointing to  But now we need to allow access to it, except for a few pc's.

Our router is a Pix 501 v6.3. Domain controller and DNS server is a Windows 2003 server Standard.

How would you recommend doing this ?

So far, we thought about the following options:
1) using ACL permit/deny commands on the Pix. Does facebook continuously change IP addresses ?
2) use openDNS as our Forwarder in our DNS server: wouldn't  that be a allow or deny all option ? Not good for us if it's the case.
3) use 3rd party software. ex: Websense. Does Websense work with a Pix 501
4) remove the zone in our DNS server. This would allow access to the site, but then how do we block it on these specific pc's ?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
re point 4

you could do it by adding an entry to to the local hosts file.


Does the hosts file have precedence on the DNS server when name lookups are done in Windows ?
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.


In case the user finds out about removing the entry in the hosts file, what other method would you recommend ? I am very tempted in the ACL Pix method, but not sure if it would work - haven't tried it yet.
1) Remove the zone in your DNS.  

2) Create a Group Policy to block access from * (see

3) Place users you want to block in an OU

4) Apply the Group Policy to the OU


Tried the hosts file and it does have precedence over the DNS server, so can be blocked using this method. Can we use wild cards in a hosts file (ex: *  to cover subdomains like, etc.
ndidomenico's hosts file method will also work.   Administrator privileges are required to edit the hosts file, so it is secure.
No, wildcards aren't allowed in the hosts file.  Here is a list of the domains you will need to block.


Thanks Daves. Interesting the GPO method... if the user has local administrative rights, can he remove or disable the entry done by the GPO in the Contents tab of IE ?
I'm not sure, I don't believe that's how Group Policy works but would be worth testing.  However if the user has local administrative rights he can download and install Firefox web browser which would bypass the policy anyway.

A local admin could also edit the hosts file.

If your users are local admins you are pretty much back to looking for a solution on the firewall.
he could, but the settings would be put back on again once the GPO refreshed, normally at a random time within 90 minutes of the last refresh.


Looks like the hosts file might be more appropriate and simple. Users might have Firefox, Google Chrome, etc, so the Contents method would only work with IE while HOSTS would apply to all browsers. And the users are not local admin, so they can not alter the hosts file.

What about using ACL's on the Pix. Would that work better, or would I constantly be chasing IP addresses for the facebook sites to put in the Pix ACL's ?
A quick search returned this, and I don't know how comprehensive it is

Like many popular Web sites, Facebook utilizes multiple Internet servers to handle incoming requests to its Web site The following IP address ranges belong to Facebook:
• -
• -
• -

so, if you are able to find a comprehensive list of IP addresses for facebook then utilising ACLs might be the way to go, but then there will always be the doubt that might be one other out there :)
Also you will need to ensure the client computers that you want to block have static IP addresses.


So we decided to go with the hosts file method, since we don't have too many computers to configure.

Thanks for your input.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial