Dumb Q: Restricting net access to only a couple webpages

[StratocasterMaster]

This is a dumb question as I know its a simple matter but I've never had to go about it this way so I dont know what would be the best solution.

My company wants to spend money on this program 'SurfControl' to block this small, specific group of users from playing on the internet all day.

I know there has to be a cheap if not free solution to this...

On this small group of users, maybe 5-8 PC's they want to block off ALL internet (HTTP) EXCEPT two websites related to the company... if they didnt mind loosing complete access with these machines I'd just block port 80 or remove any access to iexplore. :/

I'm just wondering if anyone has a quick solution to this so I can keep them from tossing money at band-aid software if not needed.

Thanks
~Kris

 

[da sponge]

Do you have any firewall in place further up the chain?

 

[Fint]

Non-technical solution: FIRE THEM.

Assuming the bad users use the same PCs every day, it should be pretty easy. You can play tricks with DNS (editing their HOSTS file), or block them at your firewall/router.

 

[XOR != OR]

Non-technical solution: FIRE THEM.

Bingo.

But, to answer the other question, we'll need more details about your infrastructure.

 

[StratocasterMaster]

Non-technical solution: FIRE THEM.

Assuming the bad users use the same PCs every day, it should be pretty easy. You can play tricks with DNS (editing their HOSTS file), or block them at your firewall/router.

Yea I forgot aboutthe HOSTFILE... I know I can delete specific DNS's but what about I wantt o delete ALL but a small portion of them (2 specific sites to be exact)

Yes, we have a firewall further up the chain, a Watchgaurd Firebox.

EDIT: I'm not ina place to do any people relocating otherwise I would -- but I guess those in power dont wish to. :/ It is expensive to fire someone afterall.

~Kris

 

[Fint]

Depending on what else they use the PCs for, change their hosts file to have the names and IPs of allowed servers/sites, and then set their DNS settings to point to an invalid DNS server. This means that they'll only be able to see servers/sites in the hosts file.

Its kind of ugly, but it'll work.

 

[StratocasterMaster]

Well someone just came and talked to me about it and they have other reasons for utilizing the software as well -- I still dont know if its a good idea as I was told they had it a couple years ago and it was horrid. :/

I am probably going to try the DNS trick on those few PC's and see what happens.

Thanks for the help guys,
~Kris

 

[Blue Knight]

How is your network setup? Is there a regular SOHO router? or are you using a server as the gateway?

Most routers these days have built in website blocking. (Like my netgear WG614). All you have to do is block the specific website DNS, or you can block specfic keywords or phrases inside of the DNS.

Not sure if other people in the company need these "game sites" as well, but even if you don't use a router, they're cheap at $50, and if you've already got one, then it's free.

 

[unhappy_mage]

You could also set up Squid and SquidGuard; both are free, and I know squid runs on NT and linux, and I think it's possible to get squidguard going on NT. Either way, you don't need very advanced filtering for this, so just plain squid should work. Then block port 80 (or transparently redirect if you're feeling sneaky) and they can't get anywhere.

 

[StratocasterMaster]

How is your network setup? Is there a regular SOHO router? or are you using a server as the gateway?

Most routers these days have built in website blocking. (Like my netgear WG614). All you have to do is block the specific website DNS, or you can block specfic keywords or phrases inside of the DNS.

Not sure if other people in the company need these "game sites" as well, but even if you don't use a router, they're cheap at $50, and if you've already got one, then it's free.

The thing is, most deparments its fine for some surfing here and there and no one is really out of hand but according to the manager of that department they are so we are just trying to make him happy. So we dont need to block out port 80 or anything like that for the whole site but only for a couple users which is why I was looking for a client localized solution of something that could block those things out on ONLY those systems.

As I said though, the upper ups already decided to get the stupd SurfControl software as they apparently have other uses for it that they feel are important... I assume I'll see the benifits of it once deployed but form what I've been told by other tech, this software is horrid.

 

[ashmedai]

Gotta love when the business types (or worse, marketing) make technical decisions.

Optimally they should let you know what they want accomplished and to what end, and let you find the best solution.