Limiting Internet Access on Specific Workstations
Novell Cool Solutions: Tip
Digg This -
Posted: 17 Sep 2001
Current version: ZENworks for Desktops 3.2
Recently we published this Open Call in the Q&A.
Chris C. wrote: I am hoping to see if you can publish this as an open question.
We are having some misuse in internet activity on our teller line stations. The way they are configured (physical sitting) it is really hard to "monitor" their activity. We don't want to keep people from being able to log in and do research to any site in other areas, but since we are a financial institution, it is not appropriate for the tellers to do this on the teller line.
I am trying to find a way to make it so that certain workstations can access a limited set of sites. However, other workstations should be able to have full access to whatever websites. Therefore, this will need to be at the workstation level. Does anyone have a solution for such a thing using ZfD3 or BorderManager 3.5 or a combination of both?
OPEN CALL: Here are a couple of thoughts, Chris, but we're guessing someone out there has done exactly this, and will have a better idea. Bank sys admins, or anyone else who can shed some light, please fire away.
- Autoadmin login to DS as a 'teller' generic account; use BorderManager to restrict access.
- Use ZfD to deliver IE restrictions and proxy settings.
We use bmee3.5 (BorderManager Enterprise Edition) to limit user access to the internet. The default is to deny all. I setup an access rule to allow certain NDS users the right to go to certain sites. You need to create a list of sites in bmee3.5 setup, whch can be painstakingly slow but once it's done it's easy to update and implement.
You can also use clntrust.exe to allow outgoing access, create a group, add users that you want to have access and launch clntrust.exe in the login script or as a NAL object with auto launch. This is just one of many ways to use bmee3.5 and/or ZENworks to set this up. It really should not be a problem to do so.
Here's a crude, but effective way that I use to disable Internet access:
During login, I run a .BAT file. Based on a flag file at the workstation or user's home directory, I disable DNS for machines that should be restricted from the Internet. Though the Internet is still accessible, you'll have to browse using IP addresses! Because most of Internet browsing is dependent on DNS names, this effectively disables Internet access. Additionally, if there are a few web sites that are "authorized" for a machine, you could add the necessary resolution to the HOSTS file on the local machine.
For those users that figure out that they just need to re-specify DNS servers, using ZEN or even an AT command, you can re-run the .BAT file at regular intervals. At some point, the user will find it's too much of a hassle to re-enable Internet access, and perhaps get back to work.
Here are the files I use and some technical detail:
DNS (ENABLE/DISABLE/CHECK/FLAG) (WS/USER) (USERNAME) (DEPT) (ON/OFF)
- ENABLE: Enable DNS
- DISABLE: Disable DNS
CHECK: Checks WS and User for DNS access, and whether currently enabled or not, and set accordingly
FLAG: (WS/USER) (USERNAME) (DEPT) (DELETE) specify Workstation or User to disable DNS access if USER is specified, specify UserName and Dept as well
NOTE: by default, the flag to DISABLE access is created
DELETE as last parameter will remove the disable flag.
To re-enable access, you must manually delete the flag file
The .REG files are the files I "silently" (/s) merge to enable or disable DNS.
If you have any questions you may contact Bryan at bkeadle@TAKETHISOUTkeadle.net
I posted the original question in this Open Call, and I wanted to tell you that I have an update that works!
Using ZENworks for Desktops 3, and BorderManager 3.5 Enterprise Edition, I was able to come with this solution.
On the stations that I wish to restrict access to, I can not run CLNTRUST on those stations by associating the application with the stations that should have full access. Now to allow these stations without CLNTRUST running on them to view the pages I want them to be able to, I simply resolve the IP address (a simple ping does a good job), go into BorderManager Setup on the BorderManager server, click on Details in Transparent Proxy, and add the IP addresses here of the sites I wish to allow.
This is an "OK" way to do it, not the easiest, but the number of sites these restricted stations will be able to view is about 5-10, so I should have no issues with setting this up.
Thanks to Barry H. for his suggestion that kind of led me to the right path!
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com