Is there a way to force the user to use the modem dns settings? I'm using open dns (set within the modem settings) but think the users are simply entering alternate dns servers in the browser settings or temporarily re-configuring the network settings.
I know the easy solution is to take away administrative privileges, but due to the work the users are doing, they need admin privileges...
Not unless the modem/router has that option. In my case, I'm using dd-wrt/tomato (third party firmware) routers that either have this option, or worst case, I can manually add firewall rules (using iptables) to prevent access to any other DNS servers.
Even so, it's important to realize that depending on the users’ network savvy and determination, almost ANYTHING you attempt to prevent/filter can probably be overcome by simply using a VPN or other proxy. So any measures you take will only be effective against users w/ limited networking knowledge. A real hacker-type will always defeat your efforts in the end (unfortunately).
As elibgrad stated, a smart person can easily undo this since all users have admin access.
You can block even people in the administrator group from having access to change group policy, you will need to make sure you setup an account to be able to change the settings later though. For example, at work we have several levels of users, unless you are in the Level 1 user group, you cannot run regedit and do not have the Run command, restrictions like that. Even if your account is a local admin, you can't run regedit. Can do the same thing for group policy editor.
A user account may be part of the local admin group, but if that group is removed from the rights to edit group policy, they won't be able to.
This is best done in a domain setting though. Locally, you'd have to make sure you have an account setup that does have edit rights or you will be stuck in a loop.
All I do is place a device in between that does a simple ip nat on the DNS address to whatever I want. If you try reroute port 53 then I just nat that to another port and use a external DNS that does not use 53.
The holes in openDNS are well known and nobody that can afford a better solution uses it.
I work in IT security for a large company even with many millions of dollars of proxy and firewalls we can find no solution to the SSL VPN running from someone house.
You would have to block HTTPS and ACTIVEX to prevent it.
Seems like it should be easiest to manage, and I don't think it can be easily defeated. I picked up an Untangle U10 which will go between the modem and switch. Just got it, so not installed yet but especially since I'm managing a number of computers, it should be a single point solution to the entire network.
A bit costly, but should easily pay for itself in productivity gains.