[windows2000] Re: Blocking Internet Access On A Schedule THE SOLU TION - formerly Re: Re: Blocking Internet Browsing from Explorer.exe
- From: Mark Lee <marklee15@xxxxxxxxx>
- To: windows2000@xxxxxxxxxxxxx
- Date: Mon, 1 Dec 2003 15:41:34 +0000 (GMT)
Glenn,
Nice points !
Users only have read access to the hosts file on NTFS !
All IE menu options (& reg editing) are blocked via policy, therefore, proxy
settings cannot be changed.
Non Admin owned EXE's (incl. .KIX,.CMD,.BAT etc) cannot be launched by normal
users either (stops unauthorised app usage incl. mini browsers and reg editors)
and as for offline storage of a website; that would fill their disk quota up
(assuming they have enought quota anyway!) leaving no space for real work !
Let's face it (& most of us were students at one time or another!) , at the end
of the day, students are out to get round any network security any way they can
to acheive thier aim - in this case usually playing games or disrupting lessons
so we stop em whenever they find something new !
The internet connection is secured behind a firewall and seperate proxy server
with all PC's on internal IP's and no NAT so they have to use the proxy ! At
the end of the day we just wanna stop net browsing in a classroom for a hour or
so and it work's fine !!!
- Mark
"Sullivan, Glenn" <GSullivan@xxxxxxxxxxxxxx> wrote:
What if someone gets smart and modifies the hosts file themselves?
Or changes the proxy settings to an IP address instead of a host-name?
Or makes a web site (the entire thing) available offline, for browsing while
the hosts file is screwed?
I'm with Ray on this one... secure the "data" (the internet connection) and not
the program accessing the data...
But it IS fun to f' with students sometimes... ;-)
Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.
-----Original Message-----
From: Mark Lee [mailto:marklee15@xxxxxxxxx]
Sent: Friday, November 28, 2003 4:39 AM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Blocking Internet Access On A Schedule THE SOLUTION -
formerly Re: Re: Blocking Internet Browsing from Explorer.exe
Ok Folks, as posted yesterday here's what we did.
1. Wrote a small EXE called BLOCKDNS.EXE which takes a few params but basically
adds and entry from command line to the windows hosts file
2. All IE browsers etc. are forced by policy to use a web proxy, but bypassed
for internal intranet
3. All PC's on internal IP so cannot directly surf anyways !
4. On schedule BLOCKDNS.EXE is called to add/remove 127.0.0.1 to hosts file
with our FQDN for the web proxy (might also want to call ipconfig /flushdns to
be 100% sure cached entries are gone)
This way, IE can still be used internally to access our Intranet etc. but
cannot see the proxy, therefore, cannot see the outside world ! This works
like a charm, students hate us even more now, staff think it's cool !
Mark.
---------------------------------
Download Yahoo! Messenger now for a chance to WIN Robbie Williams "Live At
Knebworth DVD"
---------------------------------
Download Yahoo! Messenger now for a chance to WIN Robbie Williams "Live At
Knebworth DVD"
Other related posts:
