quagmire02 All American 44225 Posts user info edit post |
i have a couple of clients that want to pick up a couple of netbooks only for use on 3 websites, all portals associated with their company
in order to secure them against being used for anything else, i figured you could set them up with an administrator account and a generic user account and then block the entire internet except for those 3 sites (so using a whitelist)
the netbooks they want come with windows 7 starter...even were i more familiar with system administration in general, i don't know enough about the different windows 7 flavors in particular to know if the w7 starter will allow this
and if it can, how complicated is it? it's a small company and i'm just their web person (which means they think i know all that is encompassed by "IT")...i consider it a learning experience 7/23/2010 2:16:16 PM |
V0LC0M All American 21263 Posts user info edit post |
why would anyone WANT a netbook? 7/23/2010 2:35:49 PM |
qntmfred retired 40816 Posts user info edit post |
because they need a cheap and/or portable way to access a network connection? 7/23/2010 2:38:25 PM |
V0LC0M All American 21263 Posts user info edit post |
well I would think setting up a domain would be the best route but I doubt you can do that on Windows 7 starter. 7/23/2010 2:41:47 PM |
quagmire02 All American 44225 Posts user info edit post |
^ what do you mean?
is there really no simple way to say "block everything except http://www.website1.com/ and http://www.website2.com/ and http://www.website3.com/ "? 7/23/2010 2:53:33 PM |
V0LC0M All American 21263 Posts user info edit post |
I honestly have never tried to block everything but a few websites.
We simply just blacklist websites in the server/firewall that we don't want employees to access.
Our company is set up on a domain that has user profiles that specify what they can access on both our internal network and outside.
[Edited on July 23, 2010 at 3:05 PM. Reason : .] 7/23/2010 3:02:19 PM |
quagmire02 All American 44225 Posts user info edit post |
does this sound right?
http://www.ehow.com/how_5078719_block-websites-except-one.html 7/23/2010 3:04:42 PM |
Noen All American 31346 Posts user info edit post |
yes you can easily do this.
use the HOSTS file and route everything by default to website1. then add explicit entries for site2 and site3. then permission the host file appropriately.
You can do this with local security policy (or group policies) too, but that doesn't really meet the "simple" bar. 7/23/2010 3:05:59 PM |
V0LC0M All American 21263 Posts user info edit post |
lol yeah i guess that could work but I wonder if that works on all browsers
[Edited on July 23, 2010 at 3:07 PM. Reason : referring to the link]
Hey Noen, does that method work on all browsers? We tried something similar and people were getting through on Chrome.
you would think so since its a group policy
[Edited on July 23, 2010 at 3:08 PM. Reason : but we couldnt figure it out why Chrome was unaffected] 7/23/2010 3:06:46 PM |
quagmire02 All American 44225 Posts user info edit post |
^^ can you give me an example? i didn't think the HOSTS file supported wildcards and that's the only way i can think of to do that
^ why would the browser matter if you're talking about the HOSTS file? or do you mean the link i posted above? 7/23/2010 3:08:43 PM |
V0LC0M All American 21263 Posts user info edit post |
it shouldnt matter but like I said, i have never tried this scenario before so I am probably not the best person to ask
We tried to block certain websites using the local security policy editor but it only seemed to work on IE and Firefox. Chrome would pass right through. We obviously were doing something wrong but didn't have the time to figure it out so we just went to the firewall and took care of business. 7/23/2010 3:11:44 PM |
lewisje All American 9196 Posts user info edit post |
I don't know how to use the HOSTS file to make a whitelist, just a blacklist; I know something you can do in Opera is set up the urlfilter.ini file so only those three sites are on the "Include List" and all others are on an "Exclude List" like this: [prefs] prioritize excludelist=0 [include] http://0.corp.com/* http://1.corp.com/* http://2.corp.com/* [exclude] * Then you can put this file in a place where the generic user can't access it (like possibly the system32 folder) and then use the operaprefs_fixed.ini file (also to be placed in system32) to point to that urlfilter file, that way the user can't change that setting: http://www.opera.com/support/mastering/sysadmin/#system-fixed-file
In IE, I think you can restrict users to browsing only Trusted Sites (with only those special 3 being Trusted), and you can use local security policy or group policy to enforce that and lock down the security zones.
I don't know how to similarly lock down Safari, Chromium, Firefox, or any browsers based on them (like Chrome, SRWare Iron, Flock 3 Beta, Flock, Songbird, Wyzo,...); one possibility is to only let iexplore.exe (and possibly opera.exe, if you've locked it down as I described above) access the Web.7/23/2010 3:22:23 PM |
wwwebsurfer All American 10217 Posts user info edit post |
^yea, you do that. You blacklist using a wildcard (as in every website NOT the 3 you want get redirected back to localhost.)
Here's some step-by-step
Quote : | "1. Browse to Start -> All Programs -> Accessories 2. Right click "Notepad" and select "Run as administrator" 3. Click "Continue" on the UAC prompt 4. Click File -> Open 5. Browse to "C:\Windows\System32\Drivers\etc" 6. Change the file filter drop down box from "Text Documents (*.txt)" to "All Files (*.*)" 7. Select "hosts" and click "Open" 8. Make the needed changes and close Notepad. Save when prompted." |
Before you put it into a locked partition or something you'll want ipconfig /flushdns too.
[Edited on July 23, 2010 at 9:27 PM. Reason : just found this, not sure if it's worth it: http://www.abelhadigital.com/hostsman]7/23/2010 9:26:11 PM |
lewisje All American 9196 Posts user info edit post |
I didn't think wildcards were permitted in HOSTS files, just specific domains gotta go test this
Also I use HostsMan and update with Pete Lowe's Adservers, and I use optimization and remove comments and set 0.0.0.0 as my redirection address and change all line-endings from CR+LF to just LF, all to save space
[Edited on July 23, 2010 at 9:39 PM. Reason : and wildcards in my HOSTS file didn't quite work...maybe generic TLDs would 7/23/2010 9:31:06 PM |
wwwebsurfer All American 10217 Posts user info edit post |
^did you clear dns cache? should have worked 7/23/2010 9:43:34 PM |
lewisje All American 9196 Posts user info edit post |
I stopped the DNS Client service when I got into the habit of maintaining a major ad-blocking HOSTS file; it made my web browsing slow to a crawl on the regular while the DNS Client would regularly update the cache, because a 309KB HOSTS file (which without the optimizations would be about 450KB) is a lot to crawl through.
Also why I only use Lowe's list is that the others are too big and have some important false positives, like MegaUpload and SourceForge (not the domain itself, but some domains its assets are hosted on, without which the site won't show up); when I was first testing this out I would have a 5MB file and that makes my browsing way too slow anyway.
[Edited on July 23, 2010 at 11:09 PM. Reason : and just to test, I added google.com to the file, and it got blocked immediately 7/23/2010 11:07:47 PM |
Shaggy All American 17820 Posts user info edit post |
Set the proxy server in IE to be whatever (it can be valid or not). Add exceptions for the few sites you want to allow. 7/23/2010 11:20:12 PM |
lewisje All American 9196 Posts user info edit post |
and then use Group Policy or something similar to keep the user from changing that setting
of course the best proxy to use is 0.0.0.0
[Edited on July 23, 2010 at 11:40 PM. Reason : also let only IEXPLORE.EXE access the webbernets
7/23/2010 11:40:18 PM |