Restricting Internet Access

I'm setting up a small network (10-15 XP Pro workstations on W2003 Server, a
domain).

I have been asked by management to restrict internet access on some
workstations, but not on others. Essentially, users would be allowed full
internet access on a couple of workstations, but others would be allowed
access only to selected sites.

I would like to do this without sacrificing DHCP throughout the office if at
all possible.

Is there an easy way to accomplish this?

TIA...

David

You need a proxy server of some kind to do this, such as ISA Server.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

Thanks for your reply.

Unfortunately, they're unwilling to spend more money to do it.

Would it be feasible for me to

(a) eliminate the DNS forwarding to the ISP's DNS;
(b) manually insert the ISP DNS addresses as secondary DNS for the
workstations that require access;
(c) insert the few sites permitted for all workstations in the server's DNS

to solve the problem? I'm thinking in this way, those workstations that are
allowed full access will get to the ISP's DNS (as alternate DNS), but those
that are allowed only restricted access will get only references that have
been inserted in the DNS manually.

Am I way offbase in thinking this might work?

Thanks


"Todd J Heron" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> You need a proxy server of some kind to do this, such as ISA Server.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT
> --------------------------------------------------------------------------
--
> This posting is provided "as is" with no warranties and confers no rights
>
>

you have many options except ISA. quoted from
http://www.howtonetworking.com/ie.htm
Restrict certain computers on a network accessing the Internet

1. Create a batch file to re-setup TCP/IP.
2. Edit registry LAN settings depending on who logon.
3. If you have a router, you may be able to restrict the Internet access.


--
For more and other information, go to http://howtonetworking.com.

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on
http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
"David Ray" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm setting up a small network (10-15 XP Pro workstations on W2003 Server,
> a
> domain).
>
> I have been asked by management to restrict internet access on some
> workstations, but not on others. Essentially, users would be allowed full
> internet access on a couple of workstations, but others would be allowed
> access only to selected sites.
>
> I would like to do this without sacrificing DHCP throughout the office if
> at
> all possible.
>
> Is there an easy way to accomplish this?
>
> TIA...
>
> David
>
>

I use a program called FreeProxy to serve 9 client computers from Win 2000
server. It works very well and best of all it's free, probably the best
piece of freeware I've ever used. http://www.handcraftedsoftware.org

I haven't used it as you want (restricting specific client access) but I
know this can be done from reading the help file. I do successfully use it
to restrict internet access for certain users and to certain sites.

You might be able to that at the firewall appliance/NAT router if it can
restrict outbound access. For this to work well on that network it would be
best to give the computers static IP addresses. Of course keep in mind that
any user that is a local administrator can change the computers IP address.
Then you would have to create content filtering or firewall rules to
restrict where the restricted computers are allowed. to go on the internet.
That may be a lot harder than it sounds depending on the number of websites
that they are allowed to visit and which ones they are, as a website access
often involves more than one IP address per website which can be difficult
to get right though checking the firewall logs for related dropped packets
while configuring the rules can help. Firewall appliances vary quite a bit
in their abilities to manage outbound traffic with the lowered price devices
often having very limited abilities and/or limited numbers of rules allowed.
It would be easy however to simply block certain computers from accessing
the internet, or for certain applications such as web browsing, email, etc
by restricting a computer's IP address to related protocols.. --- Steve


"David Ray" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm setting up a small network (10-15 XP Pro workstations on W2003 Server,
> a
> domain).
>
> I have been asked by management to restrict internet access on some
> workstations, but not on others. Essentially, users would be allowed full
> internet access on a couple of workstations, but others would be allowed
> access only to selected sites.
>
> I would like to do this without sacrificing DHCP throughout the office if
> at
> all possible.
>
> Is there an easy way to accomplish this?
>
> TIA...
>
> David
>
>

"David Ray" <(E-Mail Removed)> wrote in message
news:%23l2Qs$(E-Mail Removed)...
> Thanks for your reply.
>
> Unfortunately, they're unwilling to spend more money to do it.

Then they are unwilling to solve the problem.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

That won't work. A resolver contacts a secondary DNS only if the first never
replies. If the first says "I don't know" the resolver considers that to
be the answer and it stops.

As others have said, you need something that can understand user names and
allow you to create rules describing allowed and prohibited behavior. You
can't do this at the network level (IP addresses and such) since there is
no concept of "user" there.

Go back to management and ask why they have this requirement. Get them to
explain their thinking. Usually it's something like "to keep our people productive"
or "to avoid lawsuits that result from inappropriate access." Your management
sees a risk and they're looking for a mitigation. It's always good to mitigate
risks because you save lots of money when you do that. And if it takes spending
a little bit of money on ISA Server or whatever to help mitigate the far
greater expense of a realized risk, and if you can speak to management in
those terms, you'll get your authorization.

Steve Riley
(E-Mail Removed)



> Thanks for your reply.
>
> Unfortunately, they're unwilling to spend more money to do it.
>
> Would it be feasible for me to
>
> (a) eliminate the DNS forwarding to the ISP's DNS;
> (b) manually insert the ISP DNS addresses as secondary DNS for the
> workstations that require access;
> (c) insert the few sites permitted for all workstations in the
> server's DNS
> to solve the problem? I'm thinking in this way, those workstations
> that are allowed full access will get to the ISP's DNS (as alternate
> DNS), but those that are allowed only restricted access will get only
> references that have been inserted in the DNS manually.
>
> Am I way offbase in thinking this might work?
>
> Thanks
>
> "Todd J Heron" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>> You need a proxy server of some kind to do this, such as ISA Server.
>>
>> --
>> Todd J Heron, MCSE
>> Windows Server 2003/2000/NT
>> ---------------------------------------------------------------------
>> -----
> --
>
>> This posting is provided "as is" with no warranties and confers no
>> rights
>>