block a website on a PC.

I have 3 workstations.  3 are windows 7 and 1 is windows 10.  I need to block one website from these machines.  I'm trying to figure out if I can do it locally.  They are all on the domain.  Is there a way I can block a certain website at the machine level?  the are using both Chrome and IE 11 the site is an http://x.x.x.x:port/xxx/xxx
WellingtonISAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alex GreenProject Systems EngineerCommented:
No is the short answer, not without 3rd party software, you're better off blocking it on your router or firewall.

You could edit the Host file with the domain name and point it to 127.0.0.0 or something.
WellingtonISAuthor Commented:
Tried that 127.0.0.0 http://x.x.x.x:port/xxx/xxx didn't work
Branislav BorojevicWeb EnthusiastCommented:
You can block the website through your HOSTS file.

https://helpdeskgeek.com/how-to/block-websites-using-hosts-file/

Alternatively, there are software solutions available (both free and paid) that can block websites for you.

This is one of them:

http://www1.k9webprotection.com/aboutk9/protect-myself
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

LEARN MORE
WellingtonISAuthor Commented:
I tried host file but I'm still able to reach the site
Alex GreenProject Systems EngineerCommented:
have you done ipconfig /flushdns


Also, only put in  http://x.x.x.x
Dr. KlahnPrincipal Software EngineerCommented:
Depends on how smart your users are.

Adding the IP address of the offending site to hosts will block access to the site via URLs of the form http(s)://aaa.bbb.ccc.ddd

However, it won't block access if the site is accessed by its hostname.  For that another hosts entry is required.

Further, if the offending site is located on a server farm, or if it uses dynamic DNS, its IP address can change without notice.

But if the users are at all inclined to be uncooperative or are even a little bit clever, they'll go out and access the forbidden site through an open proxy, of which there are hundreds so they are impractical to block, or use a VPN, and any of these will bypass hosts, firewalls, routers and filters.
WellingtonISAuthor Commented:
no host name just and IP address. And yes I flushed DNS and even rebooted.  I can hit the link and the site opens.
Pete LongTechnical ConsultantCommented:
OK you cant block an IP address with a hosts file? (the clues in the name chaps its for resolving hostnames to IP addresses)

Are your users going to an IP address?  

if so put a static route on them to drop the traffic to that IP, e.g. if it was http://123.123.123.123

Then from an elevated command prompt

route add 123.123.123.123 mask 255.255.255.255 127.0.0.1 -P

Open in new window


If that does not work, change 127.0.0.1 to be an IP address on your network that ISN'T the default gateway.
Then punch your users and put them on all a verbal warning
Phillip MonkIT ManagerCommented:
Since the computers are on a domain, I'll assume that you have Active Directory installed and that the DNS address that you PC's use is the address of the Domain Server as it's primary. In your DNS Manager on your Server, open the Forward Lookup Zone under your DC and create a New Zone. Name the zone the website you wish to block and don't create any records for it. Now all query to that website will be redirected by your server, to nowhere, hence blocking that website.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/f53fde7c-4f48-469b-b678-92cd66737fbc/quotblockquot-a-specific-domain-in-windows-dns?forum=winserverNIS

If you are attempting to block an IP address, the Firewall is the appropriate place, since it will faithfully dump all traffic with a deny rule.
Lee W, MVPTechnology and Business Process AdvisorCommented:
You can't block a web site through a host file using http://www.blah.com.  You CAN block an entire internet name though.  It won't JUST affect web sites.  It affects FTP, Ping, and everything else internet based from going to the target site.  In MOST cases, this is fine.

In short, DON'T make your host file entry something like these (THESE DON'T WORK!)

127.0.0.1 http://www.blah.com
127.0.0.1 http://www.blah.com:port/xxx/yyy

Open in new window


DO make it something like this (THIS should work)

127.0.0.1 www.blah.com

Open in new window


You can also block it for the entire domain by creating the zone for blah.com in your DNS. Then your DNS will think it should provide resolution for that domain and since nothing's defined will be unable to find blah.com
WellingtonISAuthor Commented:
Thanks I would but the site is only an IP so I can't.  As for DNS there are other users needing to use this site so I can't just block it.  This is a bit of a challenge.
Phillip MonkIT ManagerCommented:
I'd still use Windows Firewall to block the IP address on the identified PC's..

https://superuser.com/questions/1159401/using-windows-firewall-to-block-a-specific-ip-on-windows-10

If you have sophisticated users, I would use a GPO to ensure no tampering could occur.
WellingtonISAuthor Commented:
Nothing I try is working and I think this is because it's routed internally and not to the internet.  This IP goes to my corporate office to allow users to clock in.  I'm trying to block it on 4 specific machines because they are not supposed to use them to clock in but everything I've tried doesn't work. thanks for the suggestions.
kevinhsiehCommented:
Your internal router(s) can block traffic from specific IP addresses to the internal web server on the specified port. Note that you need to be very careful, or you will break your internal network. Be sure that you also put in a rule to permit all the other regular traffic!

You can firewall the web server itself, or modify IIS/Apache to reject traffic from those specific IP addresses for that web site.

You could potentially use something like policy based routing to black hole the traffic from the workstations to the web server/port combination. Probably a better idea is to put in NAT somewhere along the path to NAT just that traffic to another web site that tells them that they don't have access...

My first two ideas are better.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.