Controlling Internet access per user and workstation on a Windows domain?

[TwiceSliced]

I need to:

• Block Internet access for all users on certain workstations on the domain
• Allow certain websites to be accessible
• Allow same users full Internet access on other workstations

But...

• Setting a fake DNS server breaks access to domain resources
• Setting a fake proxy server breaks access to permitted websites
• Blocking specific users' access applies to all workstations

The server is running Windows SBS 2003 and the workstations are all running Windows XP Pro SP2 + IE7.

Suggestions? Am I missing something obvious?

Thanks.

 

[calvinj]

Something like untangle in bridge mode might be what your looking for

 

[TwiceSliced]

Really? Installing a dedicated server just to filter Internet traffic on a handful of our workstations? There's gotta be something less drastic...

 

[StarTrek4U]

The first and last points are easy enough. You can probably just set a rule on your firewall that says any of these IPs (insert workstations here) are or are not allowed to the internet (basically block the common ports, or just do a blanket deny). The middle point is the one that's confusing me. Allow certain websites to be accessible from where? Just the workstations with internet access? different workstations? Are you talking about ONLY allowing those websites and no others even on the workstations with internet access?

You need to explain that a little more before a solution can be offered.

 

[Captain Colonoscopy]

what your firewall describing sounds to me like you need a proxy server. there are mmany available to choose from, some are even free...
Posted via [H] Mobile Device

 

[jcy]

i think what he means is that his office has certain classes of users:

a) unlimited surfing
b) peon class of users who can only visit whitelisted sites
c) felon class of users who cannot visit any sites at all

the proxy servers I've looked at don't seem to offer this functionality tied to an Active Directory or NT4 Domain directory, or it will fail on the requirement for static IP addresses on a LAN, which is odd since everyone I know uses DHCP.

the one app that may work is Microsoft's ISA server, but that's a $900 product plus a Windows Server license plus hardware. All of which makes me want to punch Bill Gates in the nuts.

 

[calvinj]

Marshal 8e6 Webmarshal can do it by ad group, websense, take your flavorful pick and open your companies wallet

 

[Vito_Corleone]

Use a proxy and push it to the machines via GPO.

 

[vischo]

What kind of firewall do you have?

 

[SJConsultant]

I need to:

The server is running Windows SBS 2003 and the workstations are all running Windows XP Pro SP2 + IE7.

Suggestions? Am I missing something obvious?

Thanks.

SBS 2003 Premium or Standard? If premium, it includes ISA server which can do all of the things you request.

 

[TrEpIdAtIoN]

Windows SteadyState will filter Internet Content to the list of sites you specify access to. As long as you don't have many workstations that need the restrictions this is something you could look into...works pretty well imo.

 

[Database]

I've ran into a similar situation in the past... I went with the "fake" proxy settings in IE but excluded local intranet sites from that so they could still access those sites.

You can tell it to ignore all sites starting with "blank" and then pick the ip range or whatever. Worked fine for me.