Disable Web Access to Specific Workstations

  • Thread starter Thread starter CarlosAntenna
  • Start date Start date
C

CarlosAntenna

I have a network in a manufacturing facility. PCs in the office need web
access, but in the manufacturing area I need to disable web access. There
is little supervision on the night shift and they have been caught surfing
instead of working. I need to allow access to the lan for their
applications and email. But I want to disable web access at the machine
level, so it is disabled no matter who logs in. How can this be done? A
registry hack? A policy? PCs are mostly XP pro with a few Win2K.

Carlos
 
CarlosAntenna said:
I have a network in a manufacturing facility. PCs in the office need
web access, but in the manufacturing area I need to disable web
access. There is little supervision on the night shift and they have
been caught surfing instead of working. I need to allow access to
the lan for their applications and email. But I want to disable web
access at the machine level, so it is disabled no matter who logs in.
How can this be done? A registry hack? A policy? PCs are mostly XP
pro with a few Win2K.
Carlos
Click to expand...

The best way to do this would be with ISA or a similar proxy server app.
However, you could probably get away with removing the default gateway from
the IP config on these workstations, if the users don't have local admin or
power user rights.
 
CarlosAntenna said:
I have a network in a manufacturing facility. PCs in the office need web
access, but in the manufacturing area I need to disable web access. There
is little supervision on the night shift and they have been caught surfing
instead of working. I need to allow access to the lan for their
applications and email. But I want to disable web access at the machine
level, so it is disabled no matter who logs in. How can this be done? A
registry hack? A policy? PCs are mostly XP pro with a few Win2K.

Carlos
Click to expand...

In addition the new and free MS Windows SteadyState tool for XP may work for
you if you have a small number of workstations. Note that this is only for
XP though...

http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

A proxy as suggested by Lanwench is really the best choice...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
You can create an Active Directory Organizational Unit and place all of the
manufacturing MACHINES in that OU. Then under the Computer
Configuration/Administrative Templates/System/Internet Communications node
deny access to the I'net. No one who logs into THOSE machines will have
access.

You could also restrict the USERS who are guilty by placing their Accounts
in a Group, then that group in an OU and applying the same restriction. This
way, they can't wander to an office with an unlocked door on third shift and
defeat the machine restriction...
 
FYI the GP settings you mention will reduce functionality of Internet
Explorer but will not disable internet access. Also you can not apply Group
Policy settings to objects by placing them in a group and then placing that
group within the scope of influence of the Group Policy [though groups can
be used for filtering Group Policy] and Group Policy "computer"
configuration settings will not apply to users - only computers. Enabling
loopback processing of Group Policy [in an Active Directory domain] can
change the way Group Policy settings are applied where user settings are
based on computer and not user but that is not the norm. I agree that in
this situation modifying the default gateway or using filtering at the
gateway is the best way to implement the solution.

Steve
 
As per my earlier post, the Group containing the accounts (either computer or
user) would be placed first in an OU; the desired GPO would be created and
linked to that OU - in essence GPOs are applied to Groups (all the time).
OUs can contain Compueters, Users, Groups, Shared Folders, Contacts,
Printers, or InetOrgPerson objects. Refer to MOAC. Just as it is
ill-advised to assign permissions to individual User or Computer accounts
(unless applying Deny permissions) one should not populate an OU with
individual leaf objects when a single container object (e.g., Group)
collectively will do. Besides the obvious administrative advantage to
applying Policy to a single container object instead of the individual leaf
objects contained therein, application of Group Policy will be unnecessarily
long at startup and/or logon because the policy is being applied to that many
more objects.

However, you are correct in that the GPO setting I mentioned will not meet
the need to restrict all I'net access. But the stated need is to prevent
certain employees from accesing the I'net, regardless of which workstation
they logon to, so the best approach is to lock down the specific Group of
user accounts, not the machines. Also as stated, the offending employees
have no need for web access, so a GPO software restriction policy such as a
path or hash rule preventing iexplore.exe from running will accomplish
this...and the restriction is enforced at every logon.
--
JCB\1059


Steven L Umbach said:
FYI the GP settings you mention will reduce functionality of Internet
Explorer but will not disable internet access. Also you can not apply Group
Policy settings to objects by placing them in a group and then placing that
group within the scope of influence of the Group Policy [though groups can
be used for filtering Group Policy] and Group Policy "computer"
configuration settings will not apply to users - only computers. Enabling
loopback processing of Group Policy [in an Active Directory domain] can
change the way Group Policy settings are applied where user settings are
based on computer and not user but that is not the norm. I agree that in
this situation modifying the default gateway or using filtering at the
gateway is the best way to implement the solution.

Steve
Click to expand...
 
Hi JCB

I just wanted to clarify that Group Policy can only apply to users and
computers and not groups per se but again computer configuration settings
will not apply to users as it will apply to the computer and anyone that
logs onto that computer whether a domain user or local user. I have run into
many situation where admin have put groups into the scope of influence of a
GPO an wondered why the policy did not apply.

While SRP can stop a particular binary from running doing so for IE will not
necessarily prevent internet access particularly if user can use a different
web browser or access internet via another application not restricted. The
best way I have found using Group Policy is to create an ipsec policy that
is applied to computers that filters access via IP/ports/protocols inbound
and outbound.

Steve


JCB said:
As per my earlier post, the Group containing the accounts (either computer
or
user) would be placed first in an OU; the desired GPO would be created and
linked to that OU - in essence GPOs are applied to Groups (all the time).
OUs can contain Compueters, Users, Groups, Shared Folders, Contacts,
Printers, or InetOrgPerson objects. Refer to MOAC. Just as it is
ill-advised to assign permissions to individual User or Computer accounts
(unless applying Deny permissions) one should not populate an OU with
individual leaf objects when a single container object (e.g., Group)
collectively will do. Besides the obvious administrative advantage to
applying Policy to a single container object instead of the individual
leaf
objects contained therein, application of Group Policy will be
unnecessarily
long at startup and/or logon because the policy is being applied to that
many
more objects.

However, you are correct in that the GPO setting I mentioned will not meet
the need to restrict all I'net access. But the stated need is to prevent
certain employees from accesing the I'net, regardless of which workstation
they logon to, so the best approach is to lock down the specific Group of
user accounts, not the machines. Also as stated, the offending employees
have no need for web access, so a GPO software restriction policy such as
a
path or hash rule preventing iexplore.exe from running will accomplish
this...and the restriction is enforced at every logon.
--
JCB\1059


Steven L Umbach said:
FYI the GP settings you mention will reduce functionality of Internet
Explorer but will not disable internet access. Also you can not apply
Group
Policy settings to objects by placing them in a group and then placing
that
group within the scope of influence of the Group Policy [though groups
can
be used for filtering Group Policy] and Group Policy "computer"
configuration settings will not apply to users - only computers. Enabling
loopback processing of Group Policy [in an Active Directory domain] can
change the way Group Policy settings are applied where user settings are
based on computer and not user but that is not the norm. I agree that in
this situation modifying the default gateway or using filtering at the
gateway is the best way to implement the solution.

Steve


JCB said:
You can create an Active Directory Organizational Unit and place all of
the
manufacturing MACHINES in that OU. Then under the Computer
Configuration/Administrative Templates/System/Internet Communications
node
deny access to the I'net. No one who logs into THOSE machines will
have
access.

You could also restrict the USERS who are guilty by placing their
Accounts
in a Group, then that group in an OU and applying the same restriction.
This
way, they can't wander to an office with an unlocked door on third
shift
and
defeat the machine restriction...
--
JCB\1059


:

I have a network in a manufacturing facility. PCs in the office need
web
access, but in the manufacturing area I need to disable web access.
There
is little supervision on the night shift and they have been caught
surfing
instead of working. I need to allow access to the lan for their
applications and email. But I want to disable web access at the
machine
level, so it is disabled no matter who logs in. How can this be done?
A
registry hack? A policy? PCs are mostly XP pro with a few Win2K.

Carlos
Click to expand...
Click to expand...
Click to expand...
 
hi their i have a solution for you as one guy said use a proxy server. this is the most effecient and user friendly way of doing things. i take it you have an active directory with all your users profiles and group policies on. this is dead simple and best of all this software is free and can be obtainted @ http://opensource.censornet.com/. this program is fantastic and is dead easy to set up takes 30 mins of time and that is it. your whole network will be filtered. it is called censornet and best of all the opensorce version is completly free. hardware requirements will run on pretty much anything being as it is built on linux so uses very little resourse. censornet has been around for ages all i can say when i was at school they were using it. you can set specific sites you can also set groups with different set ups eg you could have a group called students staff and admins admins can access every things students can only access appropiate material and staff can acceess certian sites. the great thing about it is it logs everything from when the user signs on to the internet and what sites were visited and at what time. also you can set time limits to ither users or groups. i no when i was at school coz it was a bording school things like msn and bebo and non work related sites were blocked till a certian time like after school and at 20:00 every night the internet to the student group was desabled. the staff could stll access however students would get a message saying the internet has been disabled reason time limit exceeded a full log of your internet activity has been sent to the it dept for review. and the user could do no more. so you could implement this into your work plcace. you can create a group called permantly blocked you want put the users u dont want access to it in and set it to be permently disabled so even if they slipped in to the office they wouldnt get out on to the net coz it would be restricted. so he gets fed up logs off then someone who works in the office who is auth to do so logs in and access the internt fine. so u can lock down groups or individule users or pcs set time limits for certain users. so say you have someone in the office who is abusing the internet you can go to his user indivdually doesnt matter what group he is and individully lock him out of the internet or set a time limit. and because censor net is so easyly accessed via web based interface the administrators can add change settings in seconds even block a website or set a spceific time scedule this can be done from any workstation in the building or at home. that way it is all done at network level rather than going to all your machines individually. it can not be bypassed as its inteligent engin can block any attepts to by pass. the only way to bypass it is to plug your workstation before the proxy. if u have active directory you dont have to sit there and manually enter each user and permissions 1 by one it you can import the whole list of users off the active directory and you can also do this for computers which you can lock down by mac address. so if someone brought their laptop in and plugged in it wouldnt let them use the net and till u added their mac address to the allow list then they could access once they have enterd their username and password. then assign groups or certain user permissions then your all filtered doesnt matter what pc those paticular users in question go to they will be refused internet access with no get arround because as soon as you close off the web page and reopen it requires you to log in again. if u use transparent authentication the active directory has to be active as if it goes down the net will stop for everyone. when the user clicks internet explorer or any browser it will requre a user name and password the user just enters the same details as he/she did to log in to the coputer (same username and password as on active directory) if that user has permissions it will let them straight on if that user doesnt then it will come up with your internet account has been disabled contact you it manager. you can customize what it says. if someone who has granted access goes on a site that has been blocked it will come up with a message sayin blocked and a log of the site has been sent to it for review then underneeith that there is a button that says request unblock. this alows the user to fill in a small online form with the reason they want the site unblocked. that message will be sent to the it admin and he can unblock it if he thinks its ok to use. but it can also block certain apps like msn yahoo messenger from running you can also block all access to web mail to prevent users using their own personal emails. there is so many features in this program. i use this myself when setting up networks with multipul users and workstations. so easy to manage the internet and make it a safe and non time wasting tool. you can also block downloads so if someone tries to download a file or program it will block it and send a log. it also has sevral antivirus engins built in so it keeps ur network malware virus and spyware free. it can also close all ports to gaming so if someone tries to launch an onlime game it will block it and send u the log of what user what computer what time and what date. you can also use this without active directory you will just have to manually enter the users and it will use its own authentication method. i have gone on long enough about its fantastic features now the setup.

first of all you will need an old or new pc that isnt been used for anything. it will need to have 2 ethernet cards and a copy of censornet.

the fist ethernet card will plug directly into your internet connection or hardware firewall depending on netwrok. ie broadband comes from outside in to a coprate hardware firewall then in to 1 of the ethernet ports of proxy. the other ethernet port is plugged into you hub or switch normally on your backbone where servers and routers are connected and remaining switches/hubs/ on the backbone normally the hubs and swiches will be liked to other switches and workstations depending on how many. that way everything comeing from broadband or isdn has to pass through the censornet proxy server first before it hits your corprate network. that way no users will be able to bypass it as they wont be able to get infront of censornet or the hardware firewall. so you can feel safe it wont be bypassed. just make sure it is locked in a room as when i was at scool the prxy was in the same room so i pluged my laptop straight into the internet bypassing proxy that was soon changed and it was all soon locked out if u have it locked away and not in reach of user access it wont be bypassed. now your intire network is running as nomal. install censornet on the machine that is in place with two ethernet cards do this with the network cables unpluged from the proxy server to prevent the network going down. once all installed put your 2 ethernet cables in and setup. then seach for users and computers it will then look at your active directory and import all users and computers. once that is done you can create groups ie office maintanice admin and set up the permissions time limits and website restrictions for your users. then you can choose all machines to work or you can set it up for mac address assigning. ie some brings their laptop in and joins to the wireless network if they go on the internet it wont let them on unless u add there mac address to the allow list. once this is done just put the ip address of censornet in the prxy settings of workstation or laptop and when he then clicks on the internet it will requre user name and password then it will let that person on if he/she has permisiions. u can disable that laptop or any workstation from connecting to the proxy at any time by going and blocking it at a certain time. once your all done the boss and it manager can have the web address for the proxy by this point all pcs/laptops on the network are now on the filtering system. if a member of staff comes to you and says can i have internet access granted for 1 hour because you band it for misuse you can enable it for 1 hour for that user once that time is up that users internet will be disabled while everyone else with granted access in still surfing. the boss or it manager can log in from home or his workstation to the censornets web interface user friendly and change the permission.by disabling users or computers from the proxy it wont stop people loging in to the computers for nomal use they just wont have the net.i have gone on for ages i hope this helps i have a+ in it and Cisco certified at CCNA1 level so i hope this info is useful. sorry if the writing is speled wrong as it is late at night i would love to here how you get on my email is (e-mail address removed) if you need further support dont hesitate to email me many thanks for yor time.
 
Back
Top