Setting Up a Computer to Only go To an Approved List of Websites

[BuGaLoU]

I am setting up internet kiosks for my company and am trying to find a decent solution to only allow access to a defined list of websites and domains. The list is going to include about 25 domains. I would like a solution that is effective locally, and not on a server level because there will only be 2 kiosks. Anyone have any suggestions?

Thanks!

 

[elguapo]

just a thought, but it may be possible to block things using your browser. I know that you can block specific things using internet exploder, but i'm not sure about a global sort of thing where you can only access specific things.

 

[BuGaLoU]

just a thought, but it may be possible to block things using your browser. I know that you can block specific things using internet exploder, but i'm not sure about a global sort of thing where you can only access specific things.

Yeah you can do this via content advisor, but there is no way to bloack everything except for specified sites. It is also not really the purpose of this feature.

 

[da sponge]

This is probably a bit overengineered for what you need, but I know this can be done with Microsoft ISA server. Perhaps there's something smaller and similar someone can think of that would suit your needs (some other kind of firewall/proxy that you can specify http access to certain destinations only).

 

[Doc Holiday]

Just use an IPSEC policy.

You can get there by typing "gpedit.msc" in the run box
Then do the following:
Local Computer Policy-->Computer Configuration-->Windows Settings-->Security Settings--> IP Security Policies on Local Machine.

You then want to Create a new policy by right clicking in the window on the left and selecting Create IP Security Policy.

Hope this helps.

BTW, if you don't give the user loging in to the computer admin right they will never be able to change the policy.

 

[Fint]

ugh, I'm embarrassed to even mention this..

set the computer's DNS settings to point to a non-existent host (127.0.0.2)
change the hosts file to contain the IPs and hostnames of allowed web sites

Yes, it is a SUPER ugly-hack, but cheap.

 

[BuGaLoU]

ugh, I'm embarred to even mention this..

set the computer's DNS settings to point to a non-existant host (127.0.0.2)
change the hosts file to contain the IPs and hostnames of allowed web sites

Yes, it is a SUPER ugly-hack, but cheap.

ooo nice. I should of thought of this already, this maybe perfect for this application.

 

[BuGaLoU]

ugh, I'm embarrassed to even mention this..

set the computer's DNS settings to point to a non-existent host (127.0.0.2)
change the hosts file to contain the IPs and hostnames of allowed web sites

Yes, it is a SUPER ugly-hack, but cheap.

Well no luck here. It seems the computer still wants a working DNS server. This may be due to the fact internet traffic if tunneled through a proxy server. I did add the proxy's domain and ip to the HOSTS file but it will not display any webpage. I think the safest bet is using the IPSEC feature.

 

[BuGaLoU]

Just use an IPSEC policy.

You can get there by typing "gpedit.msc" in the run box
Then do the following:
Local Computer Policy-->Computer Configuration-->Windows Settings-->Security Settings--> IP Security Policies on Local Machine.

You then want to Create a new policy by right clicking in the window on the left and selecting Create IP Security Policy.

Hope this helps.

BTW, if you don't give the user loging in to the computer admin right they will never be able to change the policy.

I think I figured out most of this but what I can't figure out how to do it block all the sites not on my allow list. The only option is to block all IPs. It overides my allow list and therefore never conencts to a site. I need a way to "block evevything except" type of rule. How can I accomplish this via IPSEC.

 

[Doc Holiday]

Just place the "block all IP's" at the bottom of the list. It reads from top to bottom as a rule list.

 

[slyguy63]

Well the best solution would be to setup a NAT firewall/proxy server. But since you only have 2 pc that would be stupid. lol

So I think the easy way would be to buy a third party software like ZONE Alarm Pro with Web Filtering. Then you can set Admin right, Block everything and only allow certain domains.

That easy.

 

[Doc Holiday]

Well the best solution would be to setup a NAT firewall/proxy server. But since you only have 2 pc that would be stupid. lol

So I think the easy way would be to buy a third party software like ZONE Alarm Pro with Web Filtering. Then you can set Admin right, Block everything and only allow certain domains.

That easy.

That is exatly what the IPSEC policy does within windows, no need to buy Zone Alarm.

 

[BuGaLoU]

Just place the "block all IP's" at the bottom of the list. It reads from top to bottom as a rule list.

I'm pretty sure I did that and it still didnt work, maybe not though I will have to double check.

Do you know of any web pages that might point me in the right direction to do this? Google is pulling up a ton of stuff that isnt relative to what I am trying to do.

 

[slyguy63]

That is exatly what the IPSEC policy does within windows, no need to buy Zone Alarm.

IPSEC is used for encrypting packect headers and packets data structures themselves. You can use it to block sites by IP but it will be relitivily easy to go around that to get to the site that you wish to view.

Zone alarm can bloack IP , domain name , DNS, and filters words through websites. You can't use a utility to bypass it. This would be the best solution since anyone could look up on the net on how to bypass IPSEC to view a certain site. Since he in not on a domain is is easy bypassed, unless he locks down just about everything per computer.

 

[Doc Holiday]

IPSEC is used for encrypting packect headers and packets data structures themselves. You can use it to block sites by IP but it will be relitivily easy to go around that to get to the site that you wish to view.

Zone alarm can bloack IP , domain name , and filters words through websites. You can't use a utility to bypass it. This would be the best solution since anyone could look up on the net on how to bypass IPSEC to view a certain site. Since he in not on a domain is is easy bypassed, unless he locks down just about everything per computer.

You can also set a policy to block my DNS name. Which is the same as domain name.

 

[slyguy63]

You can also set a policy to block my DNS name. Which is the same as domain name.

I believe most of us here can define the meaning of DNS and Domain.

DNS and domain can mean the same thing when they are used loosly.
When you run an enterprise network domain for AD and DNS are 2 different things.

Goodday

 

[BuGaLoU]

My company isnt going to spend money on something so low priority so zone alarm is out of the question. Besides it seems a little over kill for what I am trying to accomplish. It seems as if this should be fairly simple though. I have a set list of about 30 websites that would be allowed, everything else should be blocked.

Maybe a little detail will help.

*2 Computers
*I want to use LOCAL solutions. No server level solutions
*Both are on a domain w/ dynamic IPs via DHCP
*OS is Windows XP
*They will be internet kiosks that should only be ablt to view 30 or so websites.
*Connect to the internet via a proxy on port 8080

 

[Doc Holiday]

Ok I think that by going through the proxy the IPSEC policy will not work. This is because the proxy handles all the traffic. What kind of proxy are you using? Is there settings on there for this type of thing?

 

[BuGaLoU]

Ok I think that by going through the proxy the IPSEC policy will not work. This is because the proxy handles all the traffic. What kind of proxy are you using? Is there settings on there for this type of thing?

I'm not sure at all I dont have access to the proxy at all, and have no real way of getting it, thus my me needing a local solution.

The only local settings are point the internet connection to the proxy address on port 8080 in the internet options section of windows.

 

[BuGaLoU]

Well I tried zone alarm and I am getting the same problem I was getting with IPSec. It blocks everything and ignores my "allow" list. The order I have the rules doesnt matter. I have the top rule to allow my proxy server, the second to allow the white list of sites, and then the 3rd is to block everything else. This does not work. i tried the order in several different ways and no go, I also tried swappign the "block" and "allow" fields up in different orders. Nothing.


This is getting somewhat frustrating, it seems like such a simple task!

 

[jonw757]

Are these kiosks logging into a domain or are they standalone? We just did this at work but its set at the user level on our domain. It was free, I will have to find out exactly how it was done on Monday. It does exactly what you want, blocks all except certain websites specified by you.

I also remember something about setting a fake proxy in IE for all websites, then under exceptions put in the websites you want them to access. Then through group policy disallow access to change IE settings.

 

[BuGaLoU]

Are these kiosks logging into a domain or are they standalone? We just did this at work but its set at the user level on our domain. It was free, I will have to find out exactly how it was done on Monday. It does exactly what you want, blocks all except certain websites specified by you.

I also remember something about setting a fake proxy in IE for all websites, then under exceptions put in the websites you want them to access. Then through group policy disallow access to change IE settings.

They log into the domain.
I have access to our OU in AD so your solution may be applicable here, although I'm not sure if our proxy system is tied into AD other than just basic user verification. We do have to be added to the "Proxy Users" group to have internet access though.

 

[BuGaLoU]

Ok, I am pretty sure that this whole issue is due to the fact I am connected via a proxy server. It seems it is resolving all the DNS, thus nothing locally working. All three of the suggested solutions so far would work if I can force windows to resolve DNS locally, then request the data via the proxy. I'm not sure if this is even possible though due to the nature of proxy servers.

Basically the computer is seeing the internet as one website (the proxy server) there is no real way to accomplish what I am doing unless I force the computer to use the HOSTS file for DNS, and use the proxy server strictly for content once DNS is resolved. I'm not exactly sure if this is possible though.

 

[nessus]

Depending on your proxy server, this is exactly what it is designed to do. We have a Kiosk group on our proxy defined by IP (we reserve the IP's of the Kiosk machines on the DHCP server so they stay on the same addresses).

Connections from the Kiosk IPs are only allowed to 12 Internet sites by the proxy.

 

[BuGaLoU]

Depending on your proxy server, this is exactly what it is designed to do. We have a Kiosk group on our proxy defined by IP (we reserve the IP's of the Kiosk machines on the DHCP server so they stay on the same addresses).

Connections from the Kiosk IPs are only allowed to 12 Internet sites by the proxy.

Yeah I know, the problem is I do not have access to the configuration of this proxy server. I am starting to think that a local solution does not exist though so I might have to talk to some one that does have access.

 

[rusek]

If using Internet Explorer:

Goto
Tools--->Internet Options--->Content--->Content Advisor: Enable

--->General---> Uncheck "Users can see sites with no ratings" --->OK

Now no sites at all can be viewed.

Now, do this:

Go into Content Advisor, and clicked Approved Sites Tab

Enter sites you want the Kiosks to use

Rinse and Repeat on Terminal 2

This works because really no sites have ratings, so no sites are allowed.

Also, this has a Admin password so you can access other sites if the need arrises easily.

 

[jonw757]

Well the fake proxy settings in IE is what we used at work.

Go into user config in group policy, windows settings, IE maint., connection, proxy settings, input some random address 5.5.5.5 for ex. port10, whatever. use it for all addresses. Then in exceptions put websites you want people to be able to access, like *.hardforum.com;*.msn.com;*.yourcompany.com. It is limited to how many websites you can enter, but for anything but the exceptions it will go to 5.5.5.5. Then deny access to change proxy settings.

Apparently you need a proxy to get out in the first place so this may just not work at all..