Restricting a "kids PC" to www only

Hi,

I know a fair bit about computing (manage a few NT4SP6a & win2k
machines, via Cisco 803 routers) but I am not up to date on this.

I need to set up a PC (win2k) for use by my two boys (aged 7,10) for
occassional internet access. They will be supervised but it cannot be
done 100%, obviously. And kids are very clever and VERY quick in
crazily clicking on everything that pops up - that's what they do at
school (but the school server is very restricted).

I need to

- limit that PC to www access only
- no file downloads (if e.g. Flash is required I need to be able to do
that myself)
- virus protection
- dodgy websites excluded as far as poss
- if poss, cannot see other PCs on the LAN
- email if any will be done via a yahoo.co.uk mailbox (www)

The PC will access the internet via a Cisco 803 router (BTHH ISDN),
configured with a pretty strict access list (but not http only because
I use it too on another PC). So I need a www-only-limit on *that* PC
only.

I have both Norton and McAfee AV software, latest versions, and can
use either. Normally I use Norton but it messes up some PCs so I use
the other one on those.

I gather Zonealarm etc can achieve the www-only function. Can it
prevent executable downloads though?

Are active-x a real risk? I have configured my own browser to ask on
any active-x control and I usually say No, which doens't seem to have
much of an effect on most sites. I have also disabled 3rd party
cookies.

What s/w is best for site blocking? 10 year old boys nowadays go
straight to Google, type in PORN, and click away...

Any views/suggestions would be much appreciated.


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.

(E-Mail Removed) (Peter) wrote:

>Any views/suggestions would be much appreciated.

How much are you prepared to spend and/or do you already have a spare PC
you can leave on 24/7 acting as a proxy/firewall?

--
David Mahon
Reply to newsreply_01 at amigo.co.uk

In article <(E-Mail Removed)>, (E-Mail Removed)
says...
> I need to set up a PC (win2k) for use by my two boys (aged 7,10) for
> occassional internet access. They will be supervised but it cannot be
> done 100%, obviously. And kids are very clever and VERY quick in
> crazily clicking on everything that pops up - that's what they do at
> school (but the school server is very restricted).
>

<snip>

I'd start by running a web proxy on your PC, and making sure that their PC
only uses that web proxy, rather than a gateway.

You're immediately stopping all traffic other than WWW.

You can then add a list of addresses to your hosts file (as I have done)
that stops all traffic from known dodgy sites.

I've based my list on the one provided by Kazaa Lite, stripped out the
duplications, and added some of my own. I was using Astalavista to check
for security holes with the old version of Apache (which I run on this
machine, and didn't want it to become a security risk), and kept
redirecting me to streetblowjobs.com and bangbus.com(!)

I added these to my hosts file, telling it that they resolve to 127.0.0.1,
and then those sites, plus 95% of the adverts just fade into the
background, giving a 404 error (because obviously my local server doesn't
house hardcore porn onna-bus.

You should also set their accounts to "Limited", so they can't change any
of the settings.

There's also parental filter software out there that you could also use.
The previous method is only as good as the list of disallowed sites. The
parental filter software should be configurable. My wife's school use
Cyberpatrol. You could start looking there.

HTH.

Pete.

--
NOTE! Email address is spamtrapped. Any email will be bounced to you
Remove the news and underscore from my address to reply by mail

Peter <(E-Mail Removed)> wrote:
> Hi,
>
> I know a fair bit about computing (manage a few NT4SP6a & win2k
> machines, via Cisco 803 routers) but I am not up to date on this.
>
> I need to set up a PC (win2k) for use by my two boys (aged 7,10) for
> occassional internet access. They will be supervised but it cannot be
> done 100%, obviously. And kids are very clever and VERY quick in
> crazily clicking on everything that pops up - that's what they do at
> school (but the school server is very restricted).
<snip>
> Are active-x a real risk? I have configured my own browser to ask on
> any active-x control and I usually say No, which doens't seem to have
> much of an effect on most sites. I have also disabled 3rd party
> cookies.

Active-x is a real security risk.
It's saying not only that you trust who signed the control, but you
trust them to make 100% bug-free code.
If someone finds an exploitable bug in an active-X control signed
by microsoft, then all they need to do is to put it on their page, along
with the data that does the exploit, and they are in.

An active-X control basically has total access to your computer, unlike
java, which at least attempts to keep it in its own space.
I'd be considering a simple linux box.
Practically any distribution can be installed easily if you just want
something as simple as a browser on a LAN, and nothing else.
This would also add an extra layer of security, as even if they did manage
to download a program, it wouldn't run.

* Peter wrote:

> Any views/suggestions would be much appreciated.

I think you're basically doomed. If you can't trust them, then you've
lost. Your best chance is to be able to know what happens and repair
the damage quickly.

What I'm going to do (when I get round to it) is several things in
combination:

1. Have the PC sitting isolated from our proper network, behind some
kind of NAT firewall. This only matters if you have a proper
network, of course! We're already behind a firewall, but I want
the PC isolated so if anything bad happens to it, then it can't sit
there watching our internal network traffic for instance.

2. Have a single-command reinstallation for the PC. Either via vmware
or ghost or something like that. The aim is to be able to blow a
known-good windows image onto the PC from a read-only source at
fairly frequent intervals.

3. Use KPF on the PC to try and stop anything awful. (KPF can
certainly restrict outgoing traffic (so you could set it up to only
allow port 80 traffic, with no incoming traffic at all). The new
version (4.x), which I don't have, seems to have application stuff
as well. The old one at least seems to be way less intrusive and
overcomplex than some other personal firewall products.)

4. Only allow port 80 & other needed stuff outgoing from the PC on the
NAT box (which will be a separate bit of HW thus less easily
compromised than the PC). Insist that at least port 80 goes only
to a web proxy we own.

5. This web proxy will not restrict anything, but will log addresses.
We will periodically look at these logs. If we find anything bad
we'll ask the child to explain themselves, and if they can't give
them a serious telling-off.

This probably seems like overkill, but the aim is to protect our
machines (which our business depends on), to make a best-attempt to
protect the PC but to be able to reinstall it painlessly when that
fails (as I expect it will), and finally not to restrict what goes on,
which seems to me both futile and likely to cause the child to try
harder to get around the restrictions, but to be able to *know* what
goes on, so we can be fierce if anything bad happens.

FWIW we also (will) do stuff like this for things like banking access
where the bank will only support IE (we use Firebird internally).

--tim

--tim

Ian Stirling <(E-Mail Removed)> wrote:

>I'd be considering a simple linux box.
>Practically any distribution can be installed easily if you just want
>something as simple as a browser on a LAN, and nothing else.

The problem is that many websites were developed only for IE6.x


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.

"David Mahon" <(E-Mail Removed)> wrote:

>How much are you prepared to spend and/or do you already have a spare PC
>you can leave on 24/7 acting as a proxy/firewall?

They would be using a dedicated PC; money on software isn't a problem.
I don't want to dedicate a PC to run 24/7.


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.

In article <(E-Mail Removed)>,
Peter <(E-Mail Removed)> wrote:
> I need to set up a PC (win2k) for use by my two boys (aged 7,10) for
> occassional internet access. They will be supervised but it cannot be

Put it behind a web proxy, running on a distinct machine (any old tat
will do: I use an old 233MHz laptop with a broken screen). Put decent
firewalling on that machine, plus squid in transparent proxy mode (and
the squidguard filter if that's your taste). Restrict access to the
firewall machine to ssh with public key authentication, and either kill
the getty on the console (for the brave) or lock the lid of the laptop
down in a tamper evident way.

My kids aren't that age yet, but I'm planning in advance :-)

ian

Pete Smith <(E-Mail Removed)> wrote:

>I'd start by running a web proxy on your PC, and making sure that their PC
>only uses that web proxy, rather than a gateway.

Doesn't this mean that I need to explicitly enable each website they
want to access?


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.

In article <(E-Mail Removed)>,
Peter <(E-Mail Removed)> wrote:
>
> Ian Stirling <(E-Mail Removed)> wrote:
>
> >I'd be considering a simple linux box.
> >Practically any distribution can be installed easily if you just want
> >something as simple as a browser on a LAN, and nothing else.
>
> The problem is that many websites were developed only for IE6.x

The set of web sites I've had problems with using Mozilla 1.latest is
vanishingly small.

ian