[thelist] Restricting Internet Access by LAN IP

Ken Schaefer Ken at adOpenStatic.com
Mon Jun 27 20:23:15 CDT 2005


Hi,

A HOSTS file will work. You can prevent non-administrators from altering it
by changing the NTFS ACLs on the file. By default, only Administrators (and
LocalSystem) can change this file anyway (and everyone else can read it)

Alternatively, a proxy server is probably what you are looking at.
Microsoft's RRAS (Routing and Remote Access Server) which is part of Windows
Server will probably do what you want *but* it's not exactly the most
intuitive product in the world to use. ISA Server 2004 is *much* better, and
included with SBS2003 Premium if you have that.

Alternatively, something like Squid will do what you want.

You can enforce the IE proxy setting via Group Policy (you do have Active
Directory right?)

Cheers
Ken

IIS Stuff: www.adOpenStatic.com/cs/blogs/ken/ 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Matthew Lewis
: Subject: [thelist] Restricting Internet Access by LAN IP
: 
:   I'm helping set up a network of six computers running Windows 2000.
: (Actually I've already set it up, I just need to tweak it a bit now.)
: I've had a lot of trouble with Windows networks if LAN IP's are dynamic,
: so I always assign IP's manually to each machine.  They're networked
: using standard network switches and Internet access is through DSL and a
: standard Linksys router.  Everything is wired - no wireless anywhere.
: 
: The problem is that I need to set things up so that two of these
: computers cannot access the Internet at all, EXCEPT for a short list of
: websites.  The router has built in functions to stop all Internet access
: for certain LAN IP's, but that's as far as it goes.  These machines need
: access to some sites, but basically I need to be able to start them off
: with an "empty Internet" and then add a list of "allowed sites" as time
: goes by.
: 
: I've been advised by one very knowledgeable gentleman to use Squid on a
: Linux box as a proxy for these two machines to access the Internet
: through. The idea is to use the router to totally block Internet access
: from these two boxes, then configure them to go through the proxy which
: can be configured to only allow certain sites.  Unfortunately, I can't
: get a Linux machine for this network, and Squid on a Windows OS seems
: pretty much impossible to get configured properly.  I've had no luck in
: finding another good free/cheap proxy software that looks like it will
: do what I need.
: 
: So that's my goal - now I just need ideas.  What can I do to set things
: up so these two machines can only access "allowed" websites?  Whatever I
: do, it needs to be easily updated to include new sites, but it also
: needs to be something that the users of these computers can't get
: around.  Any ideas?
: 
: I've thought of using the Windows HOSTS file, but from the research I've
: done it seems like that can't work. Plus, I think non-administrator
: users can edit the HOSTS file anyway, and if that's true, it kind of
: defeats the whole purpose in the first place.
: 
: Thanks a lot,



More information about the thelist mailing list