Limtiting internet access

As I am reading this, it seems you're taking a 'parent at home' approach to a business matter, which leaves you susceptible to numerous, even if totally wrong, liability risk (aka you're racist because you let her/him on the Internet but not me). This sort of issue is decades old when business got connected to the Internet and wanted the same things, they want ONLY the positive aspects (patches / updates / etc. at NO COST) without any perceived negatives (why is he/she always on Twitter?).

First, NO, there is NO way to allow a computer setup like a consumer PC to 'take care itself' but restrict the user from doing the 'same things' (the PC can get on the Internet but not the user).

Second, This (as I inferred) is a Managerial issue, and such, should be laid out with your legal representative with a signed document and 'all hands call' that informs everyone of the policy they are MANDATORILY required for EMPLOYMENT from that day forward. Failure to sign, or agree to the terms, is then considered their wish to longer work at this business and your sorry to see them depart. In it you layout (for your liability) the specific expectations on the use of Internet, Phone, Electricity, etc. resources as provided by the company (you / your job) are company property, company costs, and such will be adhered to these requirements or be a reason for termination. ANY NEW employee also mandatavely has to sign this as well. This is normal legal business stuff the owners of the company must implement across the business, to ensure they don't "single out" any person or group of people, which is grounds for a lawsuit against the company (YES I am very serious here don't dismiss this, speak to your Risk Analysis Officer - every business should have one - or Legal Representative - required under law to have one).

Third, if you're still dead set to do this, it will be EXPENSIVE and require hiring more IT staff, period. Sorry there is no other way. You would then need to setup a 'Proxy' Server for all Outbound Internet Traffic, this would need to be constantly revised depending on your applications (servers, etc.) needs and can impact business if not handled by trained and qualified personnel. Your Domain Server (you should be on a domain not just a bunch of computers 'connected to the router') the accounts are checked by the Proxy Server (usually Microsoft has all this laid out to do) for 'permission' for the User Account to access the Internet resources. When it checks they are part of the NOINET4U group it blocks them. This would be the best solution so they can't use IM clients, Newsgroups, FTP, Skype, and the other 64999 other 'ports' applications use, other then Port 80 for Web access. Then you would need to be setting up your inhouse Antivirus server (normally Symantec, McAfee, etc.) to monitor and maintain AV and other 'security' resources they sell, as they 'push' the updates to the client PCs (you asked to 'PULL' the updates) which the application is not blocked on INTERNAL IPs, which then the Proxy isn't involved. The AV server would have a separate Domain Admin acct for it to have both access over the PCs, but as well authorization for the Domain rules to be allowed full Proxy access out to the Internet. Then you need to setup a WSUS / SMS server for windows patches and management of those patches (as noted in both articles http://technet.microsoft.com/en-us/magazine/2005.11.maximizepower.aspx http://msdn.microsoft.com/en-us/library/ff647981.aspx ). Again qualified technical people need to be hired and manage / tweak this overtime, and will have a business impact if in correctly done. This also would use a separate Admin account, again have full access INTERNALLY for the computers and pushing patches. Now in the case of the recent security flaw and the current Homeland Security advisory NOT to use Internet Explorer, patching all the Adobe Flash, etc. files would require either putting together a proper and working (which requires testing, and a QA process) SMS package to push out all the updates and install them (works best when you're talking hundreds to thousands of computers or computers in many remote areas / travelling alot) as well as have a Help Desk to call for support if something 'unique' happens. Otherwise you would need personnel to walk around with ThumbDrives to manually patch things, which then is not only time consuming (the ONE tech you hired is at ONE desk at a time till they are done, and can't do anything else), because many other 'issues' that were ignored / overlooked suddenly come up, and many times a simple 15 minute work becomes one hour or two to have the computer 'working' as expected. Figure that means that excess time (45min to 1:45) that would have been 3 to 7 other computers are now NOT being worked on, which means more time to manually do these fixes, not to include ALL the other IT issues that would still be happening at this time anyway.

The Third option is standard Medium to Large Businesses 'daily' routine for IT staffs, and the reason for the investment in the hardware / software /personnel (imaging trying to do this for 200 or 2000 computers just in one building, now think of the common multi-state / multi-national company with computers spread over multiple time zones and locations!). Small business has to suck it up and just 'deal with it one on one' in order not to spend all this capital to do it like the M/L Businesses. ALL have to do the second option, just as much as what is the proper use of a company vehicle, or that employees can't call 1900SexmeUp lines etc. it is normal Business Management 101 (Speak to your certified Human Resource person BTW they usually are the one to handle Option 2).