Best way to block all web sites and allow a handful

[chuck2002]

What would be the best cheap way to control web access to a lab of 35 computers that need only visit a handful of web sites?
The lab is made up of win2k and XP workstations connected to a server 2003 AD.
I thought of using group policy, but since I want them to get to a few web sites instead of blocking web access altogether, I can't find a program that works. I have tried IEURLLock, but it doesn't work.
I also thought of setting up a Squid or other proxy, but it seems like they are better at blocking specific web sites instead of blocking everything and then having a whitelist for the allowed web sites.
Due to our network config, these computers are behind a firewall already, and the boss doesn't want them to be behind another firewall. A web proxy is ok, just not another firewall....

Any suggestions are greatly apprecated.

 

[bwcc]

Here are a few options you have.

One, you can prevent or completely remove DNS forwarding and create HOST files for the specific traffic you do need to have outside of your network.

Two, you can setup your 2003 AD server as your gateway and forward all traffic through it before it goes out - setting up Routing and Remote Access.

Three, if you're using IE only, you can use Content Advisor to block near everything aside from the list of Approved Sites - but this is not foolproof.

Four, since you're already behind a firewall, setup your rules to deny all port 80/88 traffic aside from the IP addresses or domain names of the sites you want to allow.

 

[jlbenedict]

Cheapest Way: Modified Host File. Add domains to block and point them to the loopback. Users will get a "page cannot be displayed" So , for example:


# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 myspace.com
127.0.0.1 anandtech.com
127.0.0.1 ebay.com

 

[jlbenedict]

but, its a PITA because it has to be done on every machine, locally

 

[chuck2002]

Ya I was thinking that might be a decent way to go.
I can remotely run commands and copy files, so no sweat there.
That also got me thinking ..... I might also try setting up an internal DNS server with no forwarding if it doesn't have a record locally. I then can control the web sites they visit in one place by editing the single DNS server.
I'd set the machines I want to control the web on to only talk to that DNS server.

 

[ForumMaster]

can't you just tell the router to only allow certain IP addresses? the DNS way might work but maybe some smart kid will go home and find the ip address and access it like that.

 

[jlbenedict]

Originally posted by: ForumMaster
can't you just tell the router to only allow certain IP addresses? the DNS way might work but maybe some smart kid will go home and find the ip address and access it like that.

Thats what I was thinking.. For the user that is well informed and technically saavy, there are ways to get the ip addresses, and access resources that way..

 

[chuck2002]

Ya I'll take that for now.
I have successfully implemented the DNS server in this fashion and it is working like a champ. If they want to type in the IP to get somewhere, they can do that. When it becomes a problem, I will revisit this issue.
Thanks for the suggestions!

 

[rasczak]

Originally posted by: jlbenedict
but, its a PITA because it has to be done on every machine, locally

**edit** nvm didn't read the op's answer. :/ lol

but I like the firewwall solution much better.

 

[nweaver]

DNS isn't a bad way, but realize that unless you lock stuff down, pointing to IP's alone would fix some of that (We found users bringing in lists of IP's) or if rights are incorrect, setting it to a valid DNS server (like thier home ones) works right around all that stuff.

Transparant proxy would be your best option. I'm pretty sure Squid can do a deny all/allow from list

 

[drag]

Squid proxy would be the best solution. It's what we use at work and it's transparent to the desktop. Doesn't require browser reconfiguration and such.

 

[knightc2]

I second the squid proxy. We use it for content filtering with Dansguardian.

We have 6 machines that we use the proxy loop back ip and manually add the allowed urls in IE. Pain in the rear if you have to add/remove any since you have to do it on all machines, but this is rare. I use notepad with the urls on a flash drive so you can copy/paste. And since this is only on 6 machines it isn't too bad.