Blocking Web Surfing
Novell Cool Solutions: Trench
Digg This -
Updated: 29 Nov 2007
Laurent A. wrote: I would like to be able to block people from surfing the web. I have been looking on the web for solutions, but have not come across anything suitable. Maybe I just could not come up with the right words to search.
OPEN CALL: Anyone out there got any suggestions for Laurent? Let us know.
- Curtis Sorensen
- David Tuck
- John Moss
- Jeff Crawford
- Eric Ho
- Paul Caron
- Daniel Ball
- Paul Terris
- Michael Roizman
- Bengt Bäckström
- Luke Meijer
- Doug Vatier
- Sangita Patel
- Brian Schonecker
- Steven Lawrance
- Dwayne Watkins
- Scott McKenna
- Marcel de Roode
- Robert Roye
- John Ferrillo
- Wayne Hewett
- John Sweeney
- Gregg Berkholtz
- Don Meyer
- Jim Sepanik
- Billy Stokes
- Catrinus Feddema
- David Paul
- Scott Keith New
I recently had to deal with the same issue. And, after considering more elaborate methods, I came across this fairly simple fix. To prevent users from accessing the Internet using Internet Explorer, we can configure the browser to use a non-existent Proxy Server address. Whenever the user tries to access a web page, the browser will attempt to proxy through our bogus server and return a "Page not Found" error after timing out.
To accomplish this, we created a ZENworks Application Object to push out the following registry settings:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "MigrateProxy"=dword:00000001 "ProxyEnable"=dword:00000001 These settings enable the use of a proxy server. "ProxyServer"="http://ProxyServername:80" Contains the address of the Proxy server. Since we want to block web access, just fill this in with a few random characters. "ProxyOverride" Use this setting if there are websites that you want your users to have access to. Addresses should be separated by a semicolon (;). [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions] "NoBrowserOptions"=dword:00000001 This setting prevents users from opening "Internet Options" and changing the Proxy settings back to default.
A list of other Internet Explorer Registry settings can be found here.
We have had a great deal of success by using ZENworks to push out a policy that sets the proxy to a fake IP number then block the ability to change the advanced settings and use regedit in other policy settings. At my school we actually have set the proxy to a live web server in the building that notifies the users in this group that they have "Reached the end of the Internet." This setting also allows you to have exceptions and we configure it to allow for various online databases and our local district web sites.
If you are running McAfee on your PCs, then McAfee's Enterprise anti-virus 8.0i has a Port 80 blocking rule already included. Just make sure Windows Explorer is not in the exclusions list.
We use a product from Master Solution called Surf-lock.
It does cost money, but it provides an easy "on/off" solution that non-technical people can do.
We use it at both the High School and Middle School level. Teachers or Lab Supervisors simply click a button when they do not want students (or staff) to browse the Internet.
There are some disadvantages:
- It is all or nothing. You cannot single out one machine.
- You cannot except local intranet web servers.
I hope this helps!
I am not sure what you mean by blocking internet surfing. If you want to block out a lot of PCs, then define a new subnet and block out the entire subnet in the firewall, switch, or router.
If you want to block out more than a few PCs, use IEAK to predefine the IE setting (Connection). Roll out IE in those PCs, and take away the Admin rights from the users, so they cannot modify the setting.
At my previous job, we deployed IE via ZENworks, for only those users who had signed an acceptable use policy. That application would change the default port on the workstation from 88 to 80 so that the ZENworks IE would work properly. After exiting IE, ZENworks would put the registry entry back to switch the port to 88. This would prevent long-term unauthorized usage of IE by people who know about port 80 and tried to switch it back to 80. ZENworks policies would eventually stomp that port back to 88. It was a cheap but effective way of controlling exactly who could use IE and preventing unauthorized usage.
I used a ZENWorks Policy package and a User Group along with Route.exe.
I named my policy package, "User No Internet Package". In the Policy Package, I created a custom policy I named, "Route DNS to Bogus Address". The policy is set to run at user login. As for the properties, I stated three Actions to cover the three DNS entries pushed to the client by DHCP.
|route.exe||add 18.104.22.168 192.168.60.70|
|route.exe||add 22.214.171.124 192.168.60.70|
|route.exe||add 126.96.36.199 192.168.60.70|
Works as follows: Route.exe updates the current route table on the PC. The entries I supplied are my three DNS Server entries and I'm re-routing them to a (private network) un-assigned address; 192.168.60.70 using the add switch.
I then created a User group I called, "No Internet" and assigned this policy package and any users that I don't want surfing. If a new user logs into the PC (following a shutdown/restart) and he/she's not assigned to the group, the PC's route table is not modified and that user can surf. Then if a no-surf user logs in, the policy runs updating the route table with the bogus entries again eliminating surfing.
This was prior to the installation of an internal DNS Server and going to pure IP on my network. If you have certain internal name resolution needs, this method might not be appropriate for you unless you want to maintain host files.
Just to let you know we use two methods to control internet access for our students :-
Method 1. As we are BorderManager users we use Cltrust for the authentication to the proxy, which is run via login script. For any students that abuse the internet or break our AUP we have simply created a group in eDirectory that does not run Cltrust. Once you are a member of this group then dwntrust runs only, hence no internet access. Mainly used by the IT Department to completely remove access to the internet for long periods of time.
Method 2. In our computer teaching rooms a product called Browsecontrol is used. This gives full control of the internet on every PC to the teacher (IT department do not get involved once installed). The teachers can turn the internet off/on on all machines or any individual PC. We have had very good feedback from teachers on this product...funnily enough our students seem to hate it....wonder why?
Set the IE proxy to 127.0.0.1 and lock down the user to prevent them from changing the proxy setting.
A group policy can be applied to enter a local proxy setting so that only internal networks can be reached. Mind, though, that this applies to Internet Explorer also.
One possible solution off the top of my head, but a little drastic:
Run a NAL window shell, create a group for the association of IE, then select to disallow execution of programs outside the NAL window.
What we do when there is an exam in one of our classrooms is to associate the class users with a user policy package that sets the proxy to 127.0.0.1 (loopback) and prevents the users from changing the internet options.
I simply use NAL to distribute registry settings to disallow iexplore.exe to run.
Create nal object which will run and distribute following registry setting to all users.
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun] "1"="iexplore.exe"
If your gateway to the Internet is running Linux or OES, you have a very easy option:
Insert a rule into your iptable's firewall (you ARE running a firewall on your gateway, aren't you?) to prohibit the PC itself from accessing the internet. You can block either via the IP address of the client PC, or, better yet, its MAC address (which won't ever change). To block via the MAC address:
iptables -I FORWARD -p tcp --dport 80 -m mac --mac-source 01:23:45:56:78:9A -j REJECT
Substitute the MAC address of the client PC where is says "01:23:45:56:78:9A". Note that this won't block HTTPS traffic -- only HTTP. Also, this rule works only for PCs that are directly attached to the network segment on which your Linux server is connected. If the PC has to traverse a router to get to your Linux gateway, you'll lose the MAC information in transit and you'll have to use a firewall rule for the IP address.
To block via the IP address:
iptables -I FORWARD -p tcp -s 192.168.0.1 --dport 80 -j REJECT
Substitute your PC's IP address for 192.168.0.1.
This is pseudo code and may require a bit of tweaking at your end.
I came across the "Blocking Internet Explorer Surfing" page and want to share my approach. I tried the proxy.pac-that-restricts-which-sites-users-can-visit-based-on-string-matches approach in the non-profit that I work at, but that approach prevented the file Explorer from using FTP and WebDAV URLs unless a person in IT allowed that FTP or WebDAV site in the proxy.pac explicitly for every case.
Seeking to eliminate that process and only block web pages in IE and Explorer, I wrote a Browser Helper Object that I named the IE URL Lock and made it publicly available under the LGPL at http://ieurllock.sourceforge.net/ . I deployed it at work earlier this year and have not had any problems with it. It matches URLs against a regular expression allow-list and, if matched, the IE URL Lock will permit IE to visit that site. Otherwise, and by default, all other sites are blocked and, instead, a custom web page appears to inform the user about this block and to inform their support contact if the requested site does not work in Mozilla Firefox, which we also deployed at work as a part of our Windows XP transition. (Perhaps they will transition to SUSE Linux eventually.)
Configuration changes are performed through the Group Policy Editor, which should make it work with ActiveDirectory, though I'm sure that it can work with ZENworks, too. Actually, if it would help anyone to include any extra ZENworks or Novell-specific configuration files within the IE URL Lock standard distribution, I will be more than willing to include it; just let me know.
The only loophole in the IE URL Lock is that, on Windows XP SP 2, users can potentially turn it off through the Manage Web Add-Ins button in the IE Options. I'm planning to explore a way to have the IE URL Lock automatically lock down the permissions on the HKCU registry keys that control that to prevent users from disabling it, but I have not had time to do that yet. Most users will likely not know how to turn it off, and it's also possible to push that registry setting through policies at every user login so that those who figure it out won't have the IE URL Lock disabled permanently. At least at the non-profit that I work at, we have not had any new spyware infestations after the Windows XP migration, which included a switch to Firefox away from IE, so I'm guessing that either no one or only a tiny set have figured it out (we also hid IE's Start Menu item deep within a subfolder within Programs, effectively preventing most from even accidentally running IE).
The IE URL Lock is packaged as a MSI that should permit easy deployments with ActiveDirectory, though I have not tested that scenario as we don't use ActiveDirectory yet at the non-profit (I centrally deployed it with a custom Cygwin Bash script, the 'reg' and 'cp' commands, and a list of our workstations). The MSI might not set up the IE URL Lock properly in "Install on First Use" mode, so ensure that the Full Installation mode is used instead. This is my first MSI, and I have not had time to get "Install on First Use" mode working properly yet.
If you have any suggestions, ideas, or even patches to improve the IE URL Lock, please let me know. Thanks!
Our current solution is similar to Daniel Ball's. We have two groups: internet users, and remote internet users (for users on our remote buildings).
The first group gets proxy settings for our local gateway and authentication. The second group gets LDAP authentication settings as well as proxy settings.
By using LDAP we were able to configure users to use their Novell client logins.
If your intention is to shut down Web access we have used the following registry edits delivered by a ZENworks App based on membership in a group:
DNS NO GROUP= REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "NameServer"="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DHCPNameServer"="" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "NameServer"="" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "DHCPNameServer"="" DNS YES GROUP= REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "NameServer"="<enter your Name server IP addresses>" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DHCPNameServer"="<enter your DHCPName server IP addresses>" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "NameServer"="<enter your Name server IP addresses>" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "DHCPNameServer"="<enter your DHCPName server IP addresses>"
This can also be delivered through the login script with a batch file.
This prevents user access to the Internet.
IMHO, when you can surf with Internet Explorer, you can surf with Windows Explorer.
If you want to block internet surfing you should block at your network perimeter.
I personally use a Netgear FVS318 router to turn on or off internet access. You can block access by IP or MAC address, and even schedule when access is/is not allowed. This does not block internal surfing, but it also does not work for blocking by program only. The router also allows for handling up to 8 VPNs and is very affordable.
To block by program, use the computer's firewall to block the program (ZoneAlarm works very well) - be sure to do it with an administrative account, so normal users (I'm assuming your users do not have admin rights) cannot change it.
Of course the best way would be to use Linux for the desktops so it's not even a concern.
Another option is to install IPCop. It is a Linux-based firewall distribution that can run on just about any old piece of hardware.
Once installed there is an add-on available from the addon's page at ipcop.org. This add-on is call Urlfilter. Once this is installed then you can enable the feature called Browser check. Only browsers that you allow will be able to surf the net. It is great to be able to stop the blue "E" from doing any damage to local systems.
Using the registry to replace the proxy setting is working for us. What our technician, Leigh, has developed is a small executable that appears on every teacher's desktop. Because we have named each machine in a lab with a labname identifier, we can group machines. The executable allows you to identify which lab you want to turn off/on.
When the teacher clicks on the lab of choice, the student actually calls the executable (the icon is the same as the normal IE) and this runs, replacing the proxy address with a bogus one, and then it calls IE. At the end of the lesson, the teacher turns the lab back on for the next user. (Many forget to do this.)
The only downer is that if students are already using IE and you turn
off the lab too late, they can continue to browse unaffected.
Simple and it works, but only for IE and not Mozilla, Opera, etc.
We use a software package called LANschool. It can shut down IE during the class at the teacher's discretion and it can be pushed through ZENworks.
We require all users to use a Squid proxy server, which then watches when IE tries to hit a site. If the site is listed in our "IE SafeSites" list then IE access is permitted, otherwise, the users are redirected to a webpage reminding them to use Firefox for general web browsing.
The fake proxy is a great idea. I would like to add a level of option to this idea. In IE, exceptions can be created. For example, we have our own web page that we do allow employees to see. This site is in the exception section. Any local servers that are needed are also created as exceptions. Send your folks to the fake proxy but create exceptions as needed to bypass the proxy.
Our proxy server requires authentication against an LDAP-compliant database. We originally used iPlanet, but now use eDirectory. When the user authenticates, the proxy server checks a field and if it is set to 1, the user can surf. If it is 0, they can't. You can either extend the schema and have a custom field, or use an LDAP group and map it to a field you do not use.
We also log what sites people hit, and if they hit too many inappropriate sites, their access is removed.
It seems that a lot of folks suggest setting up a fake proxy for IE - this works great, unless you want users to have SOME net access. We have several employees that need to access various websites as part of the daily routines. We have an app object that sets IE to use a Smelt proxy - users must sign in to authenticate, which allows us to track which users are going to what sites (we don't use this to 'big brother' our users; but it is a handy troubleshooting tool, and is almost required by auditors for our institution).
Smelt routes traffic through Websense, which we have set up to automatically block/filter various traffic. We have found that several legit sites get blocked; also, we realized that it was a real pain to have all users enter the uname/pw for things like Antispyware (which we have on all workstations) connecting to its update site to get the latest spyware definitions. However, we simply added these sites to the IE proxy settings exceptions list - and this list gets pushed out with the same app object that sets up the Smelt proxy. This is set to push out for every user at login time - so every time a user logs in, their proxy is set and they receive an up-to-date exceptions list.
This setup does cost money, but since the solutions it provides were required by auditors we did not have a lot of options.
We use a little tool called ccproxy, which comes from www.youngzsoft.com. It is not free. In every classroom we run it on the teacher's computer. All the machines in the classroom have the teacher's computer as their proxy address. By adding the MAC or IP addresses of all the machines in the classroom and making a filter for Access and No Access in ccproxy, the teacher can permit or disable internet access on the fly.
One thing to try: stop the DC server from sending the DNS information. Nobody will be able to access the internet then unless the DNS information is manually entered into their computer. Ctrl-Pnl -> Administration -> DNS
You can block Internet explorer from being opened through gpedit.msc or go under the properties of tcp/ip and add a fake default gateway. You could even turn on content advisor in Internet Explorer and give it a password.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com