Blocking sites for a certain user on Win2k Terminal Server

[MetroRider]

hi guys,

a situation recently came up when a user at the office started using AIM/Yahoo a bit too much. i'll call this user 'johnny'. johnny would always log onto aim or yahoo using its client program whenever the boss would walk out of the room. so recently, one of the admins edited johnny's LMHOST file so that whenever he visited Yahoo.com or aim.com, it would go straight to 127.0.0.1

however, a main part of what is done in the office is terminal work using Citrix/Terminal server. seeing how he was blocked from locally logging onto those two websites, he now just logs via citrix, and easily goes onto the win2k terminal server and loads up aim/yahoo.com

if the LMHOSTS file of that pc were to be edited, would it not restrict EVERYONE from being able to access those two sites? i would like to have others be able to connect, just not johhny. someone mentioned maybe editing something in his user profile, but wasnt too sure.

thanks in advance for the advice.....

 

[bsobel]

a) Fire the person

b) If for some silly reason you won't do A, remove his file rights from the aim executable.

Bill

 

[MetroRider]

hehe, funny suggestion bsobel, but it is not my decision or in my power to fire 'johnny'. at this point, firing wouldnt be necessary, only blocking access to Yahoo messenger.

also, he is not using the executable file on the pc. he is doing it via the web-based session, like using AIM Express, straight through an IE window. that is why all that would be needed is block access to both aim.com and yahoo.com on the terminal server. the trick is doing it in a way that only HE is block, and not others who log on.

thanks again...

 

[lowtech1]

The TS server doesn't need to have AIM or IE on it, therefore you should remove the service completely from it.

[edit] What you can do is map his user profile to access only the program he need to run under TS.

 

[MetroRider]

good point lowtech. in about three-four weeks, the citrix box is going to be changed to a single application only type terminal server. that way, johnny will only be able to use the main program from the TS and nothing else. however, until that time, would be nice to find a way to block just him.

you know, come to think of it.... restricting the HOSTS and LMHOSTS files doesnt seem like such a bad idea. in truth, no one should use the TS for chatting. if you want to chat, use your current desktop, not a session in terminal server. hehe, now that i have kinda answered my question, i would still be interested in knowing of an alternate solution.

 

[lowtech1]

If you have an IPfilter then you could block out going trafics on AIM & port 80 at the specific IPs.

 

[bsobel]

Originally posted by: lowtech
If you have an IPfilter then you could block out going trafics on AIM & port 80 at the specific IPs.

Thats not a per user solution...

 

[lowtech1]

Originally posted by: bsobel

Originally posted by: lowtech
If you have an IPfilter then you could block out going trafics on AIM & port 80 at the specific IPs.

Thats not a per user solution...

I belive that you can block a specific IP or IPs if needed. That mean the user in question & the TS server, while the rest of the company users could still access those services. However the offending user can always use another station.

 

[bsobel]

I belive that you can block a specific IP or IPs if needed. That mean the user in question & the TS server, while the rest of the company users could still access those services. However the offending user can always use another station.

I'm not sure I follow. If you block the users IP, that will prevent him from accessing TS at all. Once on the TS box, he's on the same ip as everyone else for connecting to Aim/Yahoo, so I still don't follow?
Bill

 

[lowtech1]

Originally posted by: bsobel

I belive that you can block a specific IP or IPs if needed. That mean the user in question & the TS server, while the rest of the company users could still access those services. However the offending user can always use another station.

I'm not sure I follow. If you block the users IP, that will prevent him from accessing TS at all. Once on the TS box, he's on the same ip as everyone else for connecting to Aim/Yahoo, so I still don't follow?
Bill

I belive what MetroRider was saying is that all users can access AIM directly from their workstation except for "johnny". And, by blocking just "johnny" IP & the TS server IP for AIM the rest of the users could still access the web/AIM locally from their workstation as usual.

 

[bsobel]

I belive what MetroRider was saying is that all users can access AIM directly from their workstation except for "johnny". And, by blocking just "johnny" IP & the TS server IP for AIM the rest of the users could still access the web/AIM locally from their workstation as usual.

What he said is that they edited Johnny's LMHOST file on his local machine which prevented him accessing AIM. Now he's logging on to the TS and using AIM from there. Editing the LMHOST file there (or using the tcp port control as you suggesed) will effect all TS users, not just Johnny.

Bill

 

[lowtech1]

Originally posted by: bsobel

I belive what MetroRider was saying is that all users can access AIM directly from their workstation except for "johnny". And, by blocking just "johnny" IP & the TS server IP for AIM the rest of the users could still access the web/AIM locally from their workstation as usual.

What he said is that they edited Johnny's LMHOST file on his local machine which prevented him accessing AIM. Now he's logging on to the TS and using AIM from there. Editing the LMHOST file there (or using the tcp port control as you suggesed) will effect all TS users, not just Johnny.

Bill

That is correct. The users can't access AIM thought the TS server, but the users still can use their workstation to access AIM as usual.

 

[bsobel]

That is correct. The users can't access AIM thought the TS server, but the users still can use their workstation to access AIM as usual.

Right, and the question was how to do something on the TS server that wouldn't effect everyone...
Bill

 

[lowtech1]

Originally posted by: bsobel

That is correct. The users can't access AIM thought the TS server, but the users still can use their workstation to access AIM as usual.

Right, and the question was how to do something on the TS server that wouldn't effect everyone...
Bill

I belive that the question is how to stop "johnny" from access AIM/Yahoo, not specifically on the TS server only. Which I provided the anwers above.

 

[bsobel]

I belive that the question is how to stop "johnny" from access AIM/Yahoo, not specifically on the TS server only. Which I provided the anwers above.

Actually that was the question, re-read the first post (or I'm sure MetroRider can jump to)
Bill

 

[MetroRider]

thanks for the feedback guys!

last night, i just ended up globally editing the LMHOSTS file of the TS server, and boy was 'johnny' surprised when he couldnt log onto AIM and Yahoo from the TS server when the boss left for lunch today, hahaha! he was really wondering what was happening, and i just played dumb (uh... i dunno).

however, as stated by Bsobel, the main trick i'd like to get to work (if possible) is for just johnny's access/profile to be blocked on the TS server, while still letting others, like me and the boss, be able to browse to any site and not be restricted.