Restrict All Internet Access except one web site

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Is it possible to restict all internet access except one or two web sites I
could put on a list?
We are using a domain with Active directory.
For a few users in our company, we only want to give them access to one or
two web sites and no others.
 
Is it possible to restict all internet access except one or two web sites I
could put on a list?
We are using a domain with Active directory.
For a few users in our company, we only want to give them access to one or
two web sites and no others.
Click to expand...

Set the firewall to only allow access to that website for their IP.
 
When you say "Firewall" are you talking the network's firewall or WinXP's
firewall because I am not seeing anything in WinXP firewall that would allow
that.
Please Advise.
 
You can't do this with the host-based firewall in Windows XP, it isn't
designed for such things.

You will need a network firewall that is aware of user IDs. Tying such
decisions to IP addresses won't work for two reasons:

* addresses can be forged
* if you're using DHCP, there's no guarantee that a client
address will always be the same

Steve Riley
(e-mail address removed)
 
Steve,
I'm going to have my network Admin check the IP thing out on our firewall -
we use static IPs.
You said something about IPs being forged - I'm assuming you are talking
about IP addresses outsite my network - I'm only going to let one or two IP
addresses through for the users I'm attempting to restrict - it is for our
new payrol punch-in/out system. Is there a real posibility that one of these
two IP addresses will be intercepted and forged by some melitious code?

But if you know of a better way like something in Active directory / group
policy - Please let me know, I am very interested.
 
If I can learn one of the two IP addresses that your firewall is allowing,
then I can cause a denial of service attack against one of those computers,
change my address to that computer's address, and then get out the firewall.

IP addresses cannot be used as trusted identifiers of people or machines --
they were never intended for that purpose. You must use a firewall that is
able to understand who the *user* is.

Steve Riley
(e-mail address removed)



Alex said:
Steve,
I'm going to have my network Admin check the IP thing out on our
firewall -
we use static IPs.
You said something about IPs being forged - I'm assuming you are talking
about IP addresses outsite my network - I'm only going to let one or two
IP
addresses through for the users I'm attempting to restrict - it is for our
new payrol punch-in/out system. Is there a real posibility that one of
these
two IP addresses will be intercepted and forged by some melitious code?

But if you know of a better way like something in Active directory / group
policy - Please let me know, I am very interested.
Click to expand...
 
Alex said:
Is it possible to restict all internet access except one or two web
sites I could put on a list?
We are using a domain with Active directory.
For a few users in our company, we only want to give them access to
one or two web sites and no others.
Click to expand...

Have you looked into ISA?
 
I want to make sure we are on the same page......
We have some users (about 20) that do not currently have internet access
that are inside our firewall - the rest of our company has internet access.
They need to be able to access two secure INTERnet websites outside our
firewall.
I don't want those 20 users to be able to access anything else.
I thought that maybe we would find out the IP addresses for those websites
and then only allow enough services to enable internet access to and from
those websites.
I am not worried that the 20 users inside our firewall which have restricted
user accounts will attempt to change their own IP addresses.
I and wondering 1) will this work - will it restrict internet access to only
those two websites? 2) Is there any danger from the outside?

But if you know of somthing in active directory / group policy that can do
this instead or any other way - I would greatly appreciate it.
 
Are you talking about Microsoft ISA Server?
We are hoping not to buy more software or hardware for this workaround.
 
Alex said:
Are you talking about Microsoft ISA Server?
Yep.

We are hoping not to buy more software or hardware for this
workaround.
Click to expand...

Not sure you can do this, at least not easily...but I've been wrong before.
 
Our network Admin. set our current firewall to only accept oneway traffic
(two way if user Initiated) to the web site's IP address and nothing else -
it seems to be working - I would just like more info on any possible dangers
and or any other ways of doing this like IEKA tools or Active Directory /
group policy, etc.
 
Sounds like you are already utilizing a firewall with a defined address block
to restrict Internet access for these 20 users. You've now added a rule
allowing them access to two sites. Hopefully, your administrator has
configured your firewall to NAT the address of all internal users accessing
the Internet.

Short of implementing new technology (such as a proxy), I think you've hit
 
Back
Top