I'm helping some folks set up a small network of six PC's. The setup is pretty familiar to me; a DSL Internet connection with a router and network switches. According to my usual practice, I'll be manually assigning IP addresses to each computer on the LAN. So far so good.

The difficulty comes in the fact that the owner wants to restrict two computers on the network from accessing the Internet at all, EXCEPT for a short list of a few websites.

The router config will allow me to block Internet access for specific LAN IP's, but it blocks ALL web access, period. It's not advanced enough to block all access except for a few sites.

So I've been wondering and researching what I should do to accomplish the goal. It needs to be something that the users of these two machines can't over-ride (or at least not easily), and it needs to be something that will only effect those two boxes.

At my recommendation, these machines are all running Windows 2000. I'm sure it will do what I need, but I'm not sure how to accomplish it. Any ideas will be most welcome.
Back to top

Hi Matthew, I'll see if anyone else can come up with a better solution, I found one here.


However, you'll notice that this method works very well for blocking specific sites, but not for blocking wildcards, all sites not equal to some list.

I'm not sure how you would get around that problem. The hosts file does not support wildcards, like on robots.txt for example. You can read on some other options here, but again, this is more focused on blocking individual sites, not allowing individual sites.
Back to top

I've seen this question pop up quite a few times recently around the net. Residential/small business Cable/DSL routers always have a block list to allow your users access all websites by default but block the sites listed in your access control list, but never have an allow list to block access to everything by default, but block the sites listed in your access control list. Why is that? The router manufacturers limit this functionality because they want you to buy their more expensive firewalling/proxy products.

There's no way to do this natively from within Windows 2000, and you're router is purposefully crippled through the firmware to disable this functionality. Although there are probably commercial products that would allow you to set something up locally to do this, what I would do is set up a proxy server on your internal network and force the machines that need to have restricted access to access the web through them. A good powerful proxy server would make this sort of filtering a relatively simple task.
Sound a bit heavy handed? It's actually suprisingly simple.
I bet it's expensive as hell. Is free alright for you?

Considering that free is always better than not free, I would recommend using the Squid proxy server on SuSE linux. Just install the latest freely downloadable version of SuSE linux with all of the default options on some old machine you don't care about, make sure to install squid and webmin (which allows you to configure almost everything you could think of from apache, to printing, to windows compatible file and print sharing, etc. etc. etc. all through a web browser based gui interface), make sure webmin will allow connections from IP addresses within your internal network, detach the monitor, keyboard and mouse (being sure to disable 'halt on errors' in your BIOS so it will reboot successfully without a keyboard) so you can just stick it in some corner and forget that it exists. You should find megatons of tutorials and documentation on the net for installing and configuring not only linux itself, but also almost anything that runs on it. Come on, go for linux, it'll be fun!

If you don't want to set up a linux box, there currently is a high quality Windows port available. I've never used it, but as is the case for many windows ports of linux services, setting it up potentially could be a bit of a task compared to other windows software... but here's a rather poorly written guide that does claim that it works 'out of the box':
www.bofi.camelot.de/squid.htm
The advantage to doing it this way is that you could install it on one of your existing machines if the user of that machine was trustworthy enough to not mess with the access control lists. (heck, you might even be able to install it on each of the machines that needed restricted net access and set up the browser to use localhost as the proxy... hmm) Just as long as that machine was running, even if nobody was logged in, squid would be running and the restricted machine's net access would be working like a charm. However, since you'd be running 2 machine's net traffic through through one other person's workstation, there has the potential to be some slowdown for the person on the machine running the server if everyone decides to start downloading something at once.


If you don't want to use squid

Although I've never tried any of them, and I'm not sure if they would be appropriate for the task, there is a list of freeware windows proxy servers here:
www.snapfiles.com/freeware/network/fwproxy.html

On the client side

To set up the web browsers, all you need to do is go into the settings, and add a proxy server. In Firefox it's Edit>Preferences>General>Connection Settings and in Internet Exploder it's Tools>Internet Options>Connections>Lan Settings. I know that there's got to be a way to prevent firefox users from changing the proxy server, but I'm not sure what that is. With internet exploder you can restrict users access to the 'internet options' area by making them normal users, (as opposed to power users or administrators) or by just disableing it in windows policies using the MMC.


Any questions? You know where to post 'em!
Back to top

Thanks guys, I'll look into the options you've mentioned. At the moment, Andy's ideas about a proxy seem good; unfortunately I don't think this customer will go for another machine to run SuSE on. I have an old box I could sell cheap, but it's SO old I don't think it will run SuSE anyway. It only has 32MB RAM and a 4GB hard drive. So I may have to look into one of the Windows proxies.

I've already got everyone in this office using Firefox, which like you said allows them to change their proxy if they like. However, if I set the router config to totally disallow Internet access from these two IP's, then set them up to use the proxy, won't that essentially mean they HAVE to stick with the proxy I set up for them?

Thanks again for the ideas. I'll be looking into those proxy servers shortly.
Back to top

I would still recommend squid for that.




Yeah, if your router has that functionality, then that would work perfectly. It would have the added bonus of blocking any other program that was trying to access the net from those boxes, (ie. AIM, Kazaa etc)
Rock on!
Back to top

Whoa! I am way out of my league with the Squid configurations. What on earth is all that stuff? I tried to read the manual, but all I could find appeared to be for Linux and I'm trying to run it on Windows. Besides which it almost seems like you have to really know your IP/TCP stuff to get this working right, and I don't. I don't even know the terminology they're using in the config file comments.

So....HELP!!! ;)

Seriously, if I can get started off on the right foot here, I can probably figure a lot of it out myself. But right now I don't even know where to start, let alone which foot to start with! ;)

Aren't there any decent proxy apps out there with GUI configuration options? (Never thought I'd ask for a GUI over the raw config files...)
Back to top