Best Way to Let Users Access Potentially Dangerous Sites?

A few of the users at our firm are sometimes required to do investigative work that takes them to web sites of ill repute. Currently our Palo Alto firewall is doing an excellent job of blocking these websites and their potentially dangerous content. However, we'd like to find a way to access such sites without exposing our internal network. I'm looking for suggestions as to what would be the most efficient way to accomplish this for users on Windows 7 workstations that are working from our internal network. Would it require the use of a DMZ or is their perhaps another way?

A little bit about our environment: 4 ESXi Hosts, Virtual Servers and Physical Servers (All running version of Windows Server from 2003 to 2012), Windows 7 Workstations, HP Procurve Switches, everything behind a Palo Alto PA-500 firewall.

Thanks in advance for any suggestions!
Scott FowlerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Remove any filters that these users have. Basically a power user which can go to any site they wish. That would be your easiest approach without compromising other users access.

Schuyler DorseyCommented:
It really depends on budget, supportability, time and risk appetite.

The *most* secure way would before each of those users to have a physically separate machine connected to a different vlan in a "dmz" or separate zone of the PAN.. etc. But there is a certain amount of cost to this and added complexity to your network.

On the flip side, an easy change that reduces risk while not requiring as much change would be for that select group of A.D. users, change the URL action on the "bad" categories from Block to Continue. This will remind them every time they hit a bad site yet not obstruct their daily job tasks. While using the Continue action, if they visit a website which tries to call out to a malware URL, this would most likely still be blocked as the extra call will not readily be able to handle the "Continue" requirement of your URL filtering profile.
Virtual machines which you can easily restore to a known-good state.  Keep them on an isolated subnet (preferably a private VLAN, which prevents machines on the same VLAN from communicating with each other).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.