blocking internet access

hi guys,
I'm trying to prevent my users from accessing the internet. I have attempted
to block it through the personal firewall as well as through IE, however, my
users seem to have learn how to undo what I did. is there anyting i can do
at the lower layers to prevent them.

thanks
nik

Use Microsoft ISA Server 2004 and require that users authenticate.
You can download free trial version of ISA Server 2004 from Microsoft's web
site.

Dusko Savatovic

"Nik" <nalleyne(don't use this)@webworksgy.com> wrote in message
news:(E-Mail Removed)...
> hi guys,
> I'm trying to prevent my users from accessing the internet. I have
> attempted
> to block it through the personal firewall as well as through IE, however,
> my
> users seem to have learn how to undo what I did. is there anyting i can do
> at the lower layers to prevent them.
>
> thanks
> nik
>
>

How do you get to the internet in the first place?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Nik" <nalleyne(don't use this)@webworksgy.com> wrote in message
news:(E-Mail Removed)...
> hi guys,
> I'm trying to prevent my users from accessing the internet. I have
attempted
> to block it through the personal firewall as well as through IE, however,
my
> users seem to have learn how to undo what I did. is there anyting i can do
> at the lower layers to prevent them.
>
> thanks
> nik
>
>

if you don't have budget to buy isa, you still have many options. 1. if you
have a router and the router can do filter, the filter the ip you don't want
to access the internet; 2. don't assign the router to the computers; 3.
enable LAN settings with a fake ip and also disable user's right to modify
registry. good luck!

--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
Networking Solutions, http://www.chicagotech.net/networksolutions.htm
VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
VPN Process and Error Analysis, http://www.chicagotech.net/VPN%20process.htm
VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
This posting is provided "AS IS" with no warranties.
"Nik" <nalleyne(don't use this)@webworksgy.com> wrote in message
news:(E-Mail Removed)...
> hi guys,
> I'm trying to prevent my users from accessing the internet. I have
> attempted
> to block it through the personal firewall as well as through IE, however,
> my
> users seem to have learn how to undo what I did. is there anyting i can do
> at the lower layers to prevent them.
>
> thanks
> nik
>
>

You don't give us much information about your network or how you connect to
the Internet. However, one easy way to prevent network Internet access on a
per computer basis is to configure the client computer with no default
gateway or an incorrect default gateway. You can do this with a DHCP server
or by statically configuring the client computer.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

"Nik" <nalleyne(don't use this)@webworksgy.com> wrote in message
news:(E-Mail Removed)...
> hi guys,
> I'm trying to prevent my users from accessing the internet. I have
attempted
> to block it through the personal firewall as well as through IE, however,
my
> users seem to have learn how to undo what I did. is there anyting i can do
> at the lower layers to prevent them.
>
> thanks
> nik
>
>

That won't work if the OP's network has more than one subnet since his computers
will need a default gateway to communicate to the other subnet.

Really, this kind of problem shouldn't be solved with any technology that
relies on IP addresses. IP addresses identify computers, not people. In the
world of DHCP, there's never any guarantee that a particular address will
always be used on a particular person's computer. Besides, IP addresses can
be spoofed.

If you want user-level access control, you must use technology that understands
user accounts and manage your requirements centrally. This means you need
something like Active Directory and ISA Server.

Steve Riley
(E-Mail Removed)



> You don't give us much information about your network or how you
> connect to the Internet. However, one easy way to prevent network
> Internet access on a per computer basis is to configure the client
> computer with no default gateway or an incorrect default gateway. You
> can do this with a DHCP server or by statically configuring the client
> computer.
>
> Doug Sherman
> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> "Nik" <nalleyne(don't use this)@webworksgy.com> wrote in message
> news:(E-Mail Removed)...
>
>> hi guys,
>> I'm trying to prevent my users from accessing the internet. I have
> attempted
>
>> to block it through the personal firewall as well as through IE,
>> however,
>>
> my
>
>> users seem to have learn how to undo what I did. is there anyting i
>> can do at the lower layers to prevent them.
>>
>> thanks
>> nik

Sorry about that guys. I should have definitely given more information.
These are standalone computers. they use the internet to connect to the
western union network. So I do not wish for them to do any browsing or
chatting. They access the internet via dial-up

Hope this helps
Nik


"Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
news:Oh8#(E-Mail Removed)...
> You don't give us much information about your network or how you connect
to
> the Internet. However, one easy way to prevent network Internet access on
a
> per computer basis is to configure the client computer with no default
> gateway or an incorrect default gateway. You can do this with a DHCP
server
> or by statically configuring the client computer.
>
> Doug Sherman
> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>
> "Nik" <nalleyne(don't use this)@webworksgy.com> wrote in message
> news:(E-Mail Removed)...
> > hi guys,
> > I'm trying to prevent my users from accessing the internet. I have
> attempted
> > to block it through the personal firewall as well as through IE,
however,
> my
> > users seem to have learn how to undo what I did. is there anyting i can
do
> > at the lower layers to prevent them.
> >
> > thanks
> > nik
> >
> >
>
>

I agree with you in principle, my suggestion of manipulating gateways is
clunky and inconsistent with true network security paractices.

Nevertheless, it can be made to work; and the following is both misleading
and does not support the principle:

"That won't work if the OP's network has more than one subnet since his
computers will need a default gateway to communicate to the other subnet."

The computers could use a static route(s) to reach the other subnets and
have no default gateway at all.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP


"Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> That won't work if the OP's network has more than one subnet since his
computers
> will need a default gateway to communicate to the other subnet.
>
> Really, this kind of problem shouldn't be solved with any technology that
> relies on IP addresses. IP addresses identify computers, not people. In
the
> world of DHCP, there's never any guarantee that a particular address will
> always be used on a particular person's computer. Besides, IP addresses
can
> be spoofed.
>
> If you want user-level access control, you must use technology that
understands
> user accounts and manage your requirements centrally. This means you need
> something like Active Directory and ISA Server.
>
> Steve Riley
> (E-Mail Removed)
>
>
>
> > You don't give us much information about your network or how you
> > connect to the Internet. However, one easy way to prevent network
> > Internet access on a per computer basis is to configure the client
> > computer with no default gateway or an incorrect default gateway. You
> > can do this with a DHCP server or by statically configuring the client
> > computer.
> >
> > Doug Sherman
> > MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> > "Nik" <nalleyne(don't use this)@webworksgy.com> wrote in message
> > news:(E-Mail Removed)...
> >
> >> hi guys,
> >> I'm trying to prevent my users from accessing the internet. I have
> > attempted
> >
> >> to block it through the personal firewall as well as through IE,
> >> however,
> >>
> > my
> >
> >> users seem to have learn how to undo what I did. is there anyting i
> >> can do at the lower layers to prevent them.
> >>
> >> thanks
> >> nik
>
>

Inline.


> I agree with you in principle, my suggestion of manipulating gateways
> is clunky and inconsistent with true network security paractices.
>
> Nevertheless, it can be made to work; and the following is both
> misleading and does not support the principle:
>
> "That won't work if the OP's network has more than one subnet since
> his computers will need a default gateway to communicate to the other
> subnet."
>
> The computers could use a static route(s) to reach the other subnets
> and have no default gateway at all.

True but that is an advanced configuration that is brittle because it requires
on-going maintenance. It is nontrivial to learn how that works and it can
be destabilizing if the routing infrastructure in the network is dynamic.
It's essentially asking a client to please behave and don't go where I don't
want you to go.

Steve Riley
(E-Mail Removed)



> Doug Sherman
> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> "Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>> That won't work if the OP's network has more than one subnet since
>> his
>>
> computers
>
>> will need a default gateway to communicate to the other subnet.
>>
>> Really, this kind of problem shouldn't be solved with any technology
>> that relies on IP addresses. IP addresses identify computers, not
>> people. In
>>
> the
>
>> world of DHCP, there's never any guarantee that a particular address
>> will always be used on a particular person's computer. Besides, IP
>> addresses
>>
> can
>
>> be spoofed.
>>
>> If you want user-level access control, you must use technology that
>>
> understands
>
>> user accounts and manage your requirements centrally. This means you
>> need something like Active Directory and ISA Server.
>>
>> Steve Riley
>> (E-Mail Removed)
>>> You don't give us much information about your network or how you
>>> connect to the Internet. However, one easy way to prevent network
>>> Internet access on a per computer basis is to configure the client
>>> computer with no default gateway or an incorrect default gateway.
>>> You can do this with a DHCP server or by statically configuring the
>>> client computer.
>>>
>>> Doug Sherman
>>> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>>> "Nik" <nalleyne(don't use this)@webworksgy.com> wrote in message
>>> news:(E-Mail Removed)...
>>>> hi guys,
>>>> I'm trying to prevent my users from accessing the internet. I have
>>> attempted
>>>
>>>> to block it through the personal firewall as well as through IE,
>>>> however,
>>>>
>>> my
>>>
>>>> users seem to have learn how to undo what I did. is there anyting i
>>>> can do at the lower layers to prevent them.
>>>>
>>>> thanks
>>>> nik

Just getting a Firewall or Proxy that is worth having would solve the whole
thing. If IP# assignments are logically and consistantly managed a NAT
Firewall that restricts by the IP# would "get by". Otherwise something like
ISA that restricts by User account would solve it.

These things always come up if someone is wanting to create a non-standard
solution to a standard problem because they either can't or won't spend a
few dollars to do it right.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Inline.
>
>
> > I agree with you in principle, my suggestion of manipulating gateways
> > is clunky and inconsistent with true network security paractices.
> >
> > Nevertheless, it can be made to work; and the following is both
> > misleading and does not support the principle:
> >
> > "That won't work if the OP's network has more than one subnet since
> > his computers will need a default gateway to communicate to the other
> > subnet."
> >
> > The computers could use a static route(s) to reach the other subnets
> > and have no default gateway at all.
>
> True but that is an advanced configuration that is brittle because it
requires
> on-going maintenance. It is nontrivial to learn how that works and it can
> be destabilizing if the routing infrastructure in the network is dynamic.
> It's essentially asking a client to please behave and don't go where I
don't
> want you to go.
>
> Steve Riley
> (E-Mail Removed)
>
>
>
> > Doug Sherman
> > MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> > "Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >
> >> That won't work if the OP's network has more than one subnet since
> >> his
> >>
> > computers
> >
> >> will need a default gateway to communicate to the other subnet.
> >>
> >> Really, this kind of problem shouldn't be solved with any technology
> >> that relies on IP addresses. IP addresses identify computers, not
> >> people. In
> >>
> > the
> >
> >> world of DHCP, there's never any guarantee that a particular address
> >> will always be used on a particular person's computer. Besides, IP
> >> addresses
> >>
> > can
> >
> >> be spoofed.
> >>
> >> If you want user-level access control, you must use technology that
> >>
> > understands
> >
> >> user accounts and manage your requirements centrally. This means you
> >> need something like Active Directory and ISA Server.
> >>
> >> Steve Riley
> >> (E-Mail Removed)
> >>> You don't give us much information about your network or how you
> >>> connect to the Internet. However, one easy way to prevent network
> >>> Internet access on a per computer basis is to configure the client
> >>> computer with no default gateway or an incorrect default gateway.
> >>> You can do this with a DHCP server or by statically configuring the
> >>> client computer.
> >>>
> >>> Doug Sherman
> >>> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> >>> "Nik" <nalleyne(don't use this)@webworksgy.com> wrote in message
> >>> news:(E-Mail Removed)...
> >>>> hi guys,
> >>>> I'm trying to prevent my users from accessing the internet. I have
> >>> attempted
> >>>
> >>>> to block it through the personal firewall as well as through IE,
> >>>> however,
> >>>>
> >>> my
> >>>
> >>>> users seem to have learn how to undo what I did. is there anyting i
> >>>> can do at the lower layers to prevent them.
> >>>>
> >>>> thanks
> >>>> nik
>
>