[thelist] Restricting Internet Access by LAN IP

Matthew Lewis matthewhse at gmail.com
Mon Jun 27 13:12:21 CDT 2005 

  I'm helping set up a network of six computers running Windows 2000.  
(Actually I've already set it up, I just need to tweak it a bit now.)  
I've had a lot of trouble with Windows networks if LAN IP's are dynamic, 
so I always assign IP's manually to each machine.  They're networked 
using standard network switches and Internet access is through DSL and a 
standard Linksys router.  Everything is wired - no wireless anywhere.

The problem is that I need to set things up so that two of these 
computers cannot access the Internet at all, EXCEPT for a short list of 
websites.  The router has built in functions to stop all Internet access 
for certain LAN IP's, but that's as far as it goes.  These machines need 
access to some sites, but basically I need to be able to start them off 
with an "empty Internet" and then add a list of "allowed sites" as time 
goes by.

I've been advised by one very knowledgeable gentleman to use Squid on a 
Linux box as a proxy for these two machines to access the Internet 
through. The idea is to use the router to totally block Internet access 
from these two boxes, then configure them to go through the proxy which 
can be configured to only allow certain sites.  Unfortunately, I can't 
get a Linux machine for this network, and Squid on a Windows OS seems 
pretty much impossible to get configured properly.  I've had no luck in 
finding another good free/cheap proxy software that looks like it will 
do what I need.

So that's my goal - now I just need ideas.  What can I do to set things 
up so these two machines can only access "allowed" websites?  Whatever I 
do, it needs to be easily updated to include new sites, but it also 
needs to be something that the users of these computers can't get 
around.  Any ideas?

I've thought of using the Windows HOSTS file, but from the research I've 
done it seems like that can't work. Plus, I think non-administrator 
users can edit the HOSTS file anyway, and if that's true, it kind of 
defeats the whole purpose in the first place.

Thanks a lot,

Matthew

More information about the thelist mailing list