Solved

Allow Access ONLY to Google

Posted on 2013-05-24
5
373 Views
Last Modified: 2013-05-25
Hi All.

Win 7 Pro Clients, Win 2008 R2 Server.  
Police Station.  

Chief wants his client PCs to be able to ONLY go to Google (specifically Google Maps).  I tried using the hosts file, and I did this:

192.168.1.9   PDServer
76.211.198.133   maps.google.com (not the real IP, just for this example, EE people)!
76.211.155.109   ssl.googlestatic.com

I then went into the Network settings on these stations and told then to use 127.0.0.1 as their DNS.

When people login, they are not mapping to the drives on the server.  they have to manually remap the shares.  (i.e.  \\pdserver\users, etc)

Is there a better way to do this?  GPO maybe?  He does not have content filtering, so I can't restrict them that way.

thanks.
0
Comment
Question by:dougp23
5 Comments
 
LVL 3

Expert Comment

by:CITG_Carl
ID: 39194265
Dont change the DNS servers to 127.0.0.1, this will stop domain access/drive mappings/network file access

Ideally you would use content filtering to achieve this, have you thought about installing google earth/maps locally and denying all internet traffic?

Other solution is purchasing Microsoft Map Point

Cheers
0
 
LVL 14

Accepted Solution

by:
Don Thomson earned 500 total points
ID: 39194398
Have you tried setting up the Proxy in Internet Options/ Communications Lan Setttings  Proxy Settings

Set the proxy to 127.0.0.1  and then put
https://maps.google.com in as an exception.

Make sure you set both port 80 and 88 to the 127.0.0.1

It's not foolproof  but is a quick way of restricting people to one or just a few addresses.

Make sure that you also put in the URLs for windows updates and Virusscan updates

We usually put in the URLs for looking up ZIP or Postal Codes

Check the box which say not to use proxy for local addresses
0
 

Expert Comment

by:Amerilabdvickers
ID: 39194427
Hi Dougp23,
I would assume you have your 2008 R2 Server setup as a Domain Controller.  I would use the Group Policy settings to setup a default home page, you can create a policy to only allow that home page as well. You can also setup default mapped drives through GP.  I would setup all of these settings under Users only.  Then leave yourself and other admins out of the GP so you guys can still surf the web.
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 39194958
You could use a Proxy Server, and filter the traffic that way. You'd need to set up a box as a proxy server, and install some free (i.e. WinProxy) or cheap (i.e. WinGate) proxy server software  on it. Then set up the GPO to point browsers to that device as the default proxy server, and set the firewall to only allow outbound web-traffic from that server. It would take some time to futz around and figure it all out, but you could do it. (While you're at it, you could set up a login script to map their drives for them as well...)

But here's another thought: How much money is it costing him to have you chase down this wild hare, vs. popping for a decent business-class router/firewall with content filtering. You could do this easily with a SonicWALL - even a TZ-105 would do the job. The box would cost about $400. A 2-year 8x5 Support contract would cost about $120, and the annual Content Filter subscription would cost somewhere around $100. So all told, we're talking around $720 - that's around $13/week - less, after year 1. How much are you costing him experimenting to get something to work that isn't designed to?

Sometimes, you have to get clarity on what they want, and then show them why the "cheap" solution, isn't so cheap.
0
 
LVL 2

Expert Comment

by:Chris_Ryan81
ID: 39195128
Easiest way I can come up with is set a static route for all addesses you want, and a different static route for all else.  


x = Local network
y = Google
z  = rest of the internet

I am assuming your default gateway is xxx.xxx.xxx.1

route -p add xxx.xxx.xxx.xxx mask 255.255.255.0 xxx.xxx.xxx.1 
route -p add yyy.yyy.yyy.yyy mask 255.255.255.255 xxx.xxx.xxx.1 
route -p add zzz.zzz.zzz.zzz mask 0.0.0.0 xxx.xxx.xxx.2 (This is a fake address) 

Open in new window


Edit: or remove the Default gateway from internet properties and set the first 2 static routes above.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now