Restricting the access on firewall may completely stop access to even
to legitimate and production related site also.
How so? If all clients have their browser configured to use the proxy
server (preferably through a group policy) and only the proxy can access
the internet on port 80 then users can browse the intenet via the proxy. If
they require direct access through the firewall for other applications you
only open the ports that the application in question requires.
Other applications that require a direct connection (MSN Messenger etc.)
would be blocked. If they use another application to bypass the proxy, they
would be blocked.
If they leave things alone it will work just fine.
Startsurf was a example
to demstrate what is can be possible bigger issue is compliance to the
policy having no unauthorrized softwares on machines.
If you were using Windows Server 2003 with Windows XP clients you could
prevent them from running the applications even if they renamed them, but
with Windows 2000 that is not an option without using third party products.
You could start by ensuring that users are not local administrators on
their PC's and add msiexec.exe to the deny list. This would stop any
applications that use the Windows installer from being installed (I think -
I haven't tried this).
If the users only need to run a limited number of applications you could
create a default policy of deny all, then just add the applications you
want to allow them to run.
It sounds to me like this is more of a people management problem than a
technical problem. Do you have an official internet access or computer use
policy it your work? Does it cover situations such as this and, if so, have
you notified the users managers of the breach of policy?
That is why it is
rather more important to prevent the installation then breaking the
functionality of it.
A correctly setup proxy/firewall combination will ensure your security
without reducing legitimate functionality.
