You're asking to apply user controls to something that is fundamentally a
computer task: it's computers that make connections, not people.
Assuming that your problem child always uses the same computer and that no
one else uses that computer, you could put a rule in your firewall that
denies that computer access to the Internet. I'm assuming that you have an
internal mail server that receives mail for all your users. The problem
child will still be able to read email, since that access is to your
internal mail server, not to some place out on the Internet.
If he gets his mail from some server on the Internet, then you'll need to
allow that IP address to use the port number associated with whatever
protocol he uses to get mail. 110/tcp for POP3 or 143/tcp for IMAP4 would
probably be the ones to use -- what email client does your user use? Where
is the server?
This idea falls apart if the problem child goes to another computer, of
course. You could look at implementing something like ISA Server 2000 or
2004 in your environment, which *is* aware of users (because all requests to
ISA Server carry user credentials). But that's a lot of work just for this
one problem you're having -- which, really, is a management issue, best
solved by management techniques, not technology.
