If you know the ports that are used you can implement an ipsec filtering policy to
block those ports using permit and block filter rules. Ipsec polices are computer
policies and apply to all users on the computer and can be managed via Group Policy.
You could start with a mirrored block all rule, then add a mirrored permit rule for
the lan subnet, and then add mirrored rule with the permitted outbound exceptions
such as ports 80 and 443 tcp for http and https, 53 udp for dns, and any other ports
allowed such as mail and news. This is something you might also be able to do at your
firewall if it can control outbound access, though you may have to create exceptions
for allowed computers which may require that they use static IP addresses. Personal
firewalls such as Zone Alarm can also be very effective at controlling internet
access though may require individual computer configuration unless you can import
configuration files. --- Steve
http://www.securityfocus.com/infocus/1559 --- how to ipsec filtering policy.
