This would best done at the firewall if possible using a firewall that can manage
outbound access also by port, protocol, and ip address with a default block all rule.
A soho firewall such as the Sonic Wall SOHO3 or the Netscreen 5XP would fit the bill
in the $400 or above price range. There are much cheaper alternatives such as the
D-Link DI-804HV that can be configured to permit access to only allowed sites based
on name, which however is not as secure a method and it is not a SPI firewall. A free
alternative would be [assuming a firewall already exists at the perimeter] to use
ipsec filtering on those computers. You could configure a default block all rule,
then a permit rule for the lan subnet, and finally a permit rule for each website
that they would be allowed to access. --- Steve
http://www.dlink.com/products/?pid=59 --- D-Link.
http://www.securityfocus.com/infocus/1559 --- How to create custom ipsec filters.