Limtiting internet access

Hi all, in my work network I need to restrict access to the internet for certain pc's.

I need the users to not have internet access using any browser yet the pc must still be able to download its normal windows and anti virus updates. What is the easiest way to do this?
6 answers Last reply Best Answer
More about limtiting internet access
  1. parent? are you using a router or a direct Ethernet port.
  2. The easiest way would be to prevent anyone but the admin from opening Internet Explorer. Since they can't open it, they can't install other browsers (you would also have to prevent them from installing anything).

    Just a suggestion, I'm not really a pro with networking.
  3. Best answer
    As I am reading this, it seems you're taking a 'parent at home' approach to a business matter, which leaves you susceptible to numerous, even if totally wrong, liability risk (aka you're racist because you let her/him on the Internet but not me). This sort of issue is decades old when business got connected to the Internet and wanted the same things, they want ONLY the positive aspects (patches / updates / etc. at NO COST) without any perceived negatives (why is he/she always on Twitter?).

    First, NO, there is NO way to allow a computer setup like a consumer PC to 'take care itself' but restrict the user from doing the 'same things' (the PC can get on the Internet but not the user).

    Second, This (as I inferred) is a Managerial issue, and such, should be laid out with your legal representative with a signed document and 'all hands call' that informs everyone of the policy they are MANDATORILY required for EMPLOYMENT from that day forward. Failure to sign, or agree to the terms, is then considered their wish to longer work at this business and your sorry to see them depart. In it you layout (for your liability) the specific expectations on the use of Internet, Phone, Electricity, etc. resources as provided by the company (you / your job) are company property, company costs, and such will be adhered to these requirements or be a reason for termination. ANY NEW employee also mandatavely has to sign this as well. This is normal legal business stuff the owners of the company must implement across the business, to ensure they don't "single out" any person or group of people, which is grounds for a lawsuit against the company (YES I am very serious here don't dismiss this, speak to your Risk Analysis Officer - every business should have one - or Legal Representative - required under law to have one).

    Third, if you're still dead set to do this, it will be EXPENSIVE and require hiring more IT staff, period. Sorry there is no other way. You would then need to setup a 'Proxy' Server for all Outbound Internet Traffic, this would need to be constantly revised depending on your applications (servers, etc.) needs and can impact business if not handled by trained and qualified personnel. Your Domain Server (you should be on a domain not just a bunch of computers 'connected to the router') the accounts are checked by the Proxy Server (usually Microsoft has all this laid out to do) for 'permission' for the User Account to access the Internet resources. When it checks they are part of the NOINET4U group it blocks them. This would be the best solution so they can't use IM clients, Newsgroups, FTP, Skype, and the other 64999 other 'ports' applications use, other then Port 80 for Web access. Then you would need to be setting up your inhouse Antivirus server (normally Symantec, McAfee, etc.) to monitor and maintain AV and other 'security' resources they sell, as they 'push' the updates to the client PCs (you asked to 'PULL' the updates) which the application is not blocked on INTERNAL IPs, which then the Proxy isn't involved. The AV server would have a separate Domain Admin acct for it to have both access over the PCs, but as well authorization for the Domain rules to be allowed full Proxy access out to the Internet. Then you need to setup a WSUS / SMS server for windows patches and management of those patches (as noted in both articles ). Again qualified technical people need to be hired and manage / tweak this overtime, and will have a business impact if in correctly done. This also would use a separate Admin account, again have full access INTERNALLY for the computers and pushing patches. Now in the case of the recent security flaw and the current Homeland Security advisory NOT to use Internet Explorer, patching all the Adobe Flash, etc. files would require either putting together a proper and working (which requires testing, and a QA process) SMS package to push out all the updates and install them (works best when you're talking hundreds to thousands of computers or computers in many remote areas / travelling alot) as well as have a Help Desk to call for support if something 'unique' happens. Otherwise you would need personnel to walk around with ThumbDrives to manually patch things, which then is not only time consuming (the ONE tech you hired is at ONE desk at a time till they are done, and can't do anything else), because many other 'issues' that were ignored / overlooked suddenly come up, and many times a simple 15 minute work becomes one hour or two to have the computer 'working' as expected. Figure that means that excess time (45min to 1:45) that would have been 3 to 7 other computers are now NOT being worked on, which means more time to manually do these fixes, not to include ALL the other IT issues that would still be happening at this time anyway.

    The Third option is standard Medium to Large Businesses 'daily' routine for IT staffs, and the reason for the investment in the hardware / software /personnel (imaging trying to do this for 200 or 2000 computers just in one building, now think of the common multi-state / multi-national company with computers spread over multiple time zones and locations!). Small business has to suck it up and just 'deal with it one on one' in order not to spend all this capital to do it like the M/L Businesses. ALL have to do the second option, just as much as what is the proper use of a company vehicle, or that employees can't call 1900SexmeUp lines etc. it is normal Business Management 101 (Speak to your certified Human Resource person BTW they usually are the one to handle Option 2).
  4. awww... you spoiled it. third comment and you already dropped the bomb.
  5. You could try net limiter, which limits the connection speed, but is still a pretty good solution, they'll soon give up if they have to wait an hour for a 2mb file download:p I believe it also allows one to completely stop downloading, other than normal browsing... Not sure though...
  6. kelix09 said:
    You could try net limiter, which limits the connection speed, but is still a pretty good solution, they'll soon give up if they have to wait an hour for a 2mb file download:p I believe it also allows one to completely stop downloading, other than normal browsing... Not sure though...

    Interesting idea, which follows under option 3 as a 'proxy' on each computer that blocks per application OR port. So could block application. Now for the BUT:

    1) This still does NOT avoid the 'he/she gets Internet access but I don't so I sue you for....' common response. This liability issue is one still needing the management solution, it is part of Business 101.
    2) You would have to manually include each single individual application listed out there (every IM, every WebBrowser, etc.) to block ONLY the program working as compared to say 'Antivirus needs to be updated to prevent the infected USB stick from damaging all your files', etc. THEN you have to do this MANUALLY for every computer being 'blocked', so for example if we are talking 20 computers, we are talking manually setting up over 2000 tomes those applications (conservatively) which does NOT block someone coming up with a NEW version (remember Chrome, FF, Facebook, etc,. all didn't exist at one time).
    3) As the likelihood the OP is not a certified technician, then the OP mostly likely doesn't know about setting security, etc. on the computers (all part of Option 3) which means everyone logs in with a 'Admin' account, and can just 'shut off' Net Limiter anytime they want.

    There is no other solution then to step up to a Domain, Firewall, etc. plus the proper Management / Legal paperwork necessary. Any hired Business Analysis can assist this way, as well as proper hiring Managers to oversee and implement the 'cost outlay' to move up to the 'next level'.
Ask a new question

Read More

Internet Access Networking Internet