disabling all internet access

[Bryan]

I have a Point of Sale (POS) application running on a windows XP client.
This system is connected to my network. My network has internet access
through a low-end NAT router (D-link DI-604).

I do not want the POS client to be able to access the Internet, either
through IE or if a user installs a chat-client.

What is the best way to secure a windows XP client from accessing the
Internet, yet still be able to access a network peer server. I would prefer
to control this at the client rather than installing other components on my
file server.

Thanks

 

[Sooner Al [MVP]]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

How about the Shared Computer Toolkit...

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

- --

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.3 (Build 2932) - not licensed for commercial use:
www.pgp.com

iQIVAwUBQ87YZAf/09ZneKQwAQjehA/+J2lQu3Q1ZonSt+AJrvuUOhEg90I+oEo9
5px04QnDRZCNtdyJbKpNm92e38aHwEvXAE4rF7A5YSHIIoZS260iV9NVUI0PJGkl
Id07drkOWVhi/wfQ8Vlj3EBQTVNaVsDOlkE0/0Jv/1kJYyX611hCLfkJc1owSUkE
lmbiGJYLdKqcS9qLz+yaqvy1jD0V3+QgAdy2sPo2CyZoUENanTI5C9g43ihXGrWR
/El9wEOyNdVrTOaC4gvqNPjJ7ago8T5hdLfjaGKMze6Xf0Yp5A42d4xuPJ9sa4/C
xW5O3J+ziR14EJ02zAGVMHGXVT4nCHzOUAdVvV+Zlo0vn+ViT9Cm3lyr0NXa+sce
EzuuXDBuSKyYES4ueaMAYS4MLQEOk2lZa/RvuhVnY2hqPlzme9+vHxlGbGADH0Hw
C3u9OSC7QNlggluuuKrNzsgYTQspcJMlPyPcC+KEC9+USydcKbwmJG1iHpo/ebh2
mOG/30e3ljRS3/GE5zS2tV1axEBnps8MO6SMKvxySQj16z8FiBOdvFVzAyMjQroq
5iDYqqsAnfG/yXlj4K+sP86uvivuhJk6c9VrZ41y+CMceg31T3GV34LR583fi935
y0kVksRMdq44G461c2EWQJldD6kz39B7Gk76aF06/V4SYYcf3UctoutBW5AbgZHZ
tR+gAzl5p+U=
=Q3OC
-----END PGP SIGNATURE-----

 

[Robert Bollinger]

Disable the gateway - This will allow you to access the network yet not the
internet.

This will actually allow access to any system on your subnet (Assuming
current network config permits this).

This can be done by right clicking on the local area connection icon (or
whatever the name of the connection on the network control panel is).

Then choose tcp/Ip and delete the gateway.

(You may need to set a static ip address).


There are several other ways of doing this however this is the easiest
For your situation.


Robert Bollinger, MCP.

 

[Steven L Umbach]

I agree with Robert in that a simple solution is to not use the real default
gateway. Having said that if your users are local administrators or can
become local administrators by malicious action they would be able to detect
and reconfigure the default gateway on the computer so that is something you
would want to monitor [default gateway and membership of administrators
group] and also periodically review the security logs via Event Viewer on
the computer and if it is XP Pro enable auditing of account management in
Local Security Policy. --- Steve

 

[Brad Dinerman [MVP - Windows Server Networking]]

Bryan,

Although this is not the "free" solution, it is a very technically sound
one. Consider replacing your low-end NAT router with a decent
firewall/NAT device such as a SonicWall TZ-170. You can then exclude
any device from accessing the Internet based on its IP address, and you
won't need to worry about local administrators changing the default
gateway in the workstation's NIC settings, etc.

Yours,
Brad Dinerman


______________________________________
Bradley J. Dinerman, MVP - Windows Server Systems
President, New England Information Security Group
http://www.neisg.org

 

[Steven L Umbach]

Great idea though the user should beware that a savvy user might figure out
what is an "allowed IP" and change his IP address to be one that is allowed.
Of course a real firewall is a significant part of defense in depth and
viewing logs is an important part of seeing what is going on. Personally I
would probably fire someone that went that far to try and access the
internet, though a computer use policy should be implemented with stated
consequences to protect employer, which usually sends a strong message to
others. --- Steve


"Brad Dinerman [MVP - Windows Server Networking]"

 

[Brad Dinerman [MVP - Windows Server Networking]]

Well, if push really comes to shove, then you can also force the users
to authenticate to accounts on the firewall so that not only must they
access the Internet from permitted workstation IP addresses, but they
must also provide ID/password.

-Brad


______________________________________
Bradley J. Dinerman, MVP - Windows Server Systems
President, New England Information Security Group
http://www.neisg.org