Glenn, Nice points ! Users only have read access to the hosts file on NTFS ! All IE menu options (& reg editing) are blocked via policy, therefore, proxy settings cannot be changed. Non Admin owned EXE's (incl. .KIX,.CMD,.BAT etc) cannot be launched by normal users either (stops unauthorised app usage incl. mini browsers and reg editors) and as for offline storage of a website; that would fill their disk quota up (assuming they have enought quota anyway!) leaving no space for real work ! Let's face it (& most of us were students at one time or another!) , at the end of the day, students are out to get round any network security any way they can to acheive thier aim - in this case usually playing games or disrupting lessons so we stop em whenever they find something new ! The internet connection is secured behind a firewall and seperate proxy server with all PC's on internal IP's and no NAT so they have to use the proxy ! At the end of the day we just wanna stop net browsing in a classroom for a hour or so and it work's fine !!! - Mark "Sullivan, Glenn" <GSullivan@xxxxxxxxxxxxxx> wrote: What if someone gets smart and modifies the hosts file themselves? Or changes the proxy settings to an IP address instead of a host-name? Or makes a web site (the entire thing) available offline, for browsing while the hosts file is screwed? I'm with Ray on this one... secure the "data" (the internet connection) and not the program accessing the data... But it IS fun to f' with students sometimes... ;-) Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. -----Original Message----- From: Mark Lee [mailto:marklee15@xxxxxxxxx] Sent: Friday, November 28, 2003 4:39 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Blocking Internet Access On A Schedule THE SOLUTION - formerly Re: Re: Blocking Internet Browsing from Explorer.exe Ok Folks, as posted yesterday here's what we did. 1. Wrote a small EXE called BLOCKDNS.EXE which takes a few params but basically adds and entry from command line to the windows hosts file 2. All IE browsers etc. are forced by policy to use a web proxy, but bypassed for internal intranet 3. All PC's on internal IP so cannot directly surf anyways ! 4. On schedule BLOCKDNS.EXE is called to add/remove 127.0.0.1 to hosts file with our FQDN for the web proxy (might also want to call ipconfig /flushdns to be 100% sure cached entries are gone) This way, IE can still be used internally to access our Intranet etc. but cannot see the proxy, therefore, cannot see the outside world ! This works like a charm, students hate us even more now, staff think it's cool ! Mark. --------------------------------- Download Yahoo! Messenger now for a chance to WIN Robbie Williams "Live At Knebworth DVD" --------------------------------- Download Yahoo! Messenger now for a chance to WIN Robbie Williams "Live At Knebworth DVD"