All of these suggestions are good ones but- as the IT administrator you should present to your manager, and he or she should present to the execs that to effectively manage web access including restrictions, monitoring and reporting, a web proxy server should be deployed and all outgoing web requests should be forwarded through the proxy via network routing or browser proxy settings with tight outgoing port restrictions controlled at the network gateway. Using the IE restricted sites, HOSTS files or creating a IPsec policy or a placeholder bogus DNS zone to solve this political issue is a workaround and not really a good one. Restricting web traffic is a political issue and as the IT admin or IT manager- hand off the responsibility of creating the policy or owning the approved site list if you can and make the company pay. Now of course if you are administering public institution or school that is limited in funding and administrative staff- and you can't get an educational discount of a functional feature rich proxy solution- any of the suggested work-arounds will work. I have to go and get off my soap box now.. Omar From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Pietrzak Sent: Wednesday, September 12, 2007 9:21 AM To: gptalk@xxxxxxxxxxxxx Subject: RE: [gptalk] Website Craig, You can use the IPSec techniques outlined in this walkthrough... http://www.petri.co.il/block_internet_but_allow_intranet_with_ipsec.htm to enable you to block certain websites via a group policy. It's VERY easy to do. We had a problem with users visiting naughty sites and with this technique, I can effectively block all web access, allow local intranet browsing, allow only specific sites to be allowed, or finally, what you are looking for, block individual sites. Read through it. Again, it's very easy to alter the IPSec rules to block a single web site. Alternately, in your DNS servers, I use MS DNS so I can't say this could apply to you, but you could create a new domain, say myspace.com, and make a bogus DNS entry for it. That way, when any machine tries to go to myspace.com, it will not resolve. Either of those techniques should work great for you. Michael SDSU Hi guys Can i block a website through a GPO? Craig Meyer "He had no servants - yet they called Him Master, no degrees - yet they called Him Teacher, no medicine - yet they called Him Healer, no army yet the Kings feared Him. He won no military battles yet He conquered the world. he commited no crime yet they crucified Him. He was burried in a tomb yet He lives 2day...." ________________________________ Download the latest version of Windows Live Messenger NOW! Click here! <http://get.live.com/en-za/messenger/overview>