Does the proxy server not do authentication? I have a proxy server here (ISA server) that allows me to give access by IP address, hostname, username, and even user agent string, if want to be that anal... This all reminds me of a saying repeated often on the Exchange list: "There are seldom good Technological Solutions for Behavioral Problems." - Ed Crowley. Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. -----Original Message----- From: Mark Lee [mailto:marklee15@xxxxxxxxx] Sent: Monday, December 01, 2003 10:42 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: Blocking Internet Access On A Schedule THE SOLU TION - formerly Re: Re: Blocking Internet Browsing from Explorer.exe Glenn, Nice points ! Users only have read access to the hosts file on NTFS ! All IE menu options (& reg editing) are blocked via policy, therefore, proxy settings cannot be changed. Non Admin owned EXE's (incl. .KIX,.CMD,.BAT etc) cannot be launched by normal users either (stops unauthorised app usage incl. mini browsers and reg editors) and as for offline storage of a website; that would fill their disk quota up (assuming they have enought quota anyway!) leaving no space for real work ! Let's face it (& most of us were students at one time or another!) , at the end of the day, students are out to get round any network security any way they can to acheive thier aim - in this case usually playing games or disrupting lessons so we stop em whenever they find something new ! The internet connection is secured behind a firewall and seperate proxy server with all PC's on internal IP's and no NAT so they have to use the proxy ! At the end of the day we just wanna stop net browsing in a classroom for a hour or so and it work's fine !!! - Mark "Sullivan, Glenn" <GSullivan@xxxxxxxxxxxxxx> wrote: What if someone gets smart and modifies the hosts file themselves? Or changes the proxy settings to an IP address instead of a host-name? Or makes a web site (the entire thing) available offline, for browsing while the hosts file is screwed? I'm with Ray on this one... secure the "data" (the internet connection) and not the program accessing the data... But it IS fun to f' with students sometimes... ;-) Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. -----Original Message----- From: Mark Lee [mailto:marklee15@xxxxxxxxx] Sent: Friday, November 28, 2003 4:39 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Blocking Internet Access On A Schedule THE SOLUTION - formerly Re: Re: Blocking Internet Browsing from Explorer.exe Ok Folks, as posted yesterday here's what we did. 1. Wrote a small EXE called BLOCKDNS.EXE which takes a few params but basically adds and entry from command line to the windows hosts file 2. All IE browsers etc. are forced by policy to use a web proxy, but bypassed for internal intranet 3. All PC's on internal IP so cannot directly surf anyways ! 4. On schedule BLOCKDNS.EXE is called to add/remove 127.0.0.1 to hosts file with our FQDN for the web proxy (might also want to call ipconfig /flushdns to be 100% sure cached entries are gone) This way, IE can still be used internally to access our Intranet etc. but cannot see the proxy, therefore, cannot see the outside world ! This works like a charm, students hate us even more now, staff think it's cool ! Mark. _____ Download <http://uk.rd.yahoo.com/mail/tagline_messenger/*http://download.yahoo.com/dl /intl/ymsgruk.exe> Yahoo! Messenger now for a chance to WIN <http://uk.rd.yahoo.com/mail/tagline_messenger/*http://messenger.promotions. yahoo.com/rwuk> Robbie Williams "Live At Knebworth DVD" _____ Download <http://uk.rd.yahoo.com/mail/tagline_messenger/*http://download.yahoo.com/dl /intl/ymsgruk.exe> Yahoo! Messenger now for a chance to WIN <http://uk.rd.yahoo.com/mail/tagline_messenger/*http://messenger.promotions. yahoo.com/rwuk> Robbie Williams "Live At Knebworth DVD"