Secure Web Browsing

I am looking for opinions and comments on what others are doing to secure their company networks while still allowing some form of web browsing by users.  I am looking for a solution that will allow me to limit my networks exposure to malware/viruses from users browsing the internet.  I have the standard safe guards in place such as local antivirus on client PC's, border firewall, web proxy, etc...  However, I am looking to secure our network and web browsing further.

What is everyone else doing?  i.e.:  Only allowing whitelisted sites.  Using two browsers, one for internal sites/whitelisted sites and a sandboxed virtual browser for all other browsing.  Using two PC's homed to different networks (public & private).

Any feedback of ideas and product solutions that I can consider would be greatly appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Look into the concept of using a remoteapp for browsing. I am tempted to say that this is the most secure solution there is.

Will write more tomorrow.
jorge diazSECommented:
it sounds to me you've got to keep a pretty tight environment locked down, you have mentioned most of the technical implementations there are. I would add something like McAffe site adviser to it too. Another layer to add is keeping an end user information security program where users involved and aware that internet connections are possibly "monitored". I've had many instances where just involving the user community in ways of ppt presentations, emails, short videos, etc., give them confidence to look out and report any suspicious link or emails before they open it.
Ok, back for more on remote controlled browsing ("ReCoBs")

We have a win2012 R2 Remote Desktop Server and it hosts chrome and IE11 as RemoteApps. The users can connect and those browsers are nearly as fast as if they were local - displaying HD videos inside the browser is possible.
At the server, we run Applocker to only allow these 2 browsers and their plugins to run - and nothing else. If a user comes across some virus that is not recognized by our AV software - nevermind. It will not run at the server because applocker won't let it. We have not had a virus for the last 12 years - and we are using that concept for about as long.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IS_TeamAuthor Commented:
Thank you for the replies.  With the Win2012 R2 Remote Desktop Server solution would this server sit inside your network environment or in a DMZ off of your regular network environment.  Also with the remote desktop can multiple users connect into it for browsing at the same time or would you need multiple servers for this?
The server would sit whereever you like. It needs to be joined to the domain and of course it needs to have contact to your DCs via standard ports (outgoing), while the rest of the network will only need access to the RDP port (incoming, usually 3389).
The performance hunger of browsing has to be considered high, so let's say if there will be 25 users actively using it at the same time with each one having some tabs open, you need at least a 12 Core CPU (calculate only 2-3 users per CPU-core if you want to be sure), with at least 16 GB of RAM (calculate about 500-1000MB per user, depending on usage scenarios).

So if you are talking big business, hundreds of users, of course you need more than one server (or one machine from the very high end).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.