i have a couple of clients that want to pick up a couple of netbooks only for use on 3 websites, all portals associated with their company

in order to secure them against being used for anything else, i figured you could set them up with an administrator account and a generic user account and then block the entire internet except for those 3 sites (so using a whitelist)

the netbooks they want come with windows 7 starter...even were i more familiar with system administration in general, i don't know enough about the different windows 7 flavors in particular to know if the w7 starter will allow this

and if it can, how complicated is it? it's a small company and i'm just their web person (which means they think i know all that is encompassed by "IT")...i consider it a learning experience

7/23/2010 2:16:16 PM

why would anyone WANT a netbook?

7/23/2010 2:35:49 PM

because they need a cheap and/or portable way to access a network connection?

7/23/2010 2:38:25 PM

well I would think setting up a domain would be the best route but I doubt you can do that on Windows 7 starter.

7/23/2010 2:41:47 PM

^ what do you mean?

is there really no simple way to say "block everything except http://www.website1.com/ and http://www.website2.com/ and http://www.website3.com/ "?

7/23/2010 2:53:33 PM

I honestly have never tried to block everything but a few websites.

We simply just blacklist websites in the server/firewall that we don't want employees to access.

Our company is set up on a domain that has user profiles that specify what they can access on both our internal network and outside.

[Edited on July 23, 2010 at 3:05 PM. Reason : .]

7/23/2010 3:02:19 PM

does this sound right?

http://www.ehow.com/how_5078719_block-websites-except-one.html

7/23/2010 3:04:42 PM

yes you can easily do this.

use the HOSTS file and route everything by default to website1. then add explicit entries for site2 and site3. then permission the host file appropriately.

You can do this with local security policy (or group policies) too, but that doesn't really meet the "simple" bar.

7/23/2010 3:05:59 PM

lol yeah i guess that could work but I wonder if that works on all browsers

[Edited on July 23, 2010 at 3:07 PM. Reason : referring to the link]


Hey Noen, does that method work on all browsers? We tried something similar and people were getting through on Chrome.

you would think so since its a group policy

[Edited on July 23, 2010 at 3:08 PM. Reason : but we couldnt figure it out why Chrome was unaffected]

7/23/2010 3:06:46 PM

^^ can you give me an example? i didn't think the HOSTS file supported wildcards and that's the only way i can think of to do that

^ why would the browser matter if you're talking about the HOSTS file? or do you mean the link i posted above?

7/23/2010 3:08:43 PM

it shouldnt matter but like I said, i have never tried this scenario before so I am probably not the best person to ask

We tried to block certain websites using the local security policy editor but it only seemed to work on IE and Firefox. Chrome would pass right through. We obviously were doing something wrong but didn't have the time to figure it out so we just went to the firewall and took care of business.

7/23/2010 3:11:44 PM

I don't know how to use the HOSTS file to make a whitelist, just a blacklist; I know something you can do in Opera is set up the urlfilter.ini file so only those three sites are on the "Include List" and all others are on an "Exclude List" like this:

[prefs]
prioritize excludelist=0
[include]
http://0.corp.com/*
http://1.corp.com/*
http://2.corp.com/*
[exclude]
*

7/23/2010 3:22:23 PM

^yea, you do that. You blacklist using a wildcard (as in every website NOT the 3 you want get redirected back to localhost.)

Here's some step-by-step

Quote :

"1. Browse to Start -> All Programs -> Accessories 2. Right click "Notepad" and select "Run as administrator" 3. Click "Continue" on the UAC prompt 4. Click File -> Open 5. Browse to "C:\Windows\System32\Drivers\etc" 6. Change the file filter drop down box from "Text Documents (*.txt)" to "All Files (*.*)" 7. Select "hosts" and click "Open" 8. Make the needed changes and close Notepad. Save when prompted."

Before you put it into a locked partition or something you'll want ipconfig /flushdns too.

[Edited on July 23, 2010 at 9:27 PM. Reason : just found this, not sure if it's worth it: http://www.abelhadigital.com/hostsman]

7/23/2010 9:26:11 PM

I didn't think wildcards were permitted in HOSTS files, just specific domains
gotta go test this

Also I use HostsMan and update with Pete Lowe's Adservers, and I use optimization and remove comments and set 0.0.0.0 as my redirection address and change all line-endings from CR+LF to just LF, all to save space

[Edited on July 23, 2010 at 9:39 PM. Reason : and wildcards in my HOSTS file didn't quite work...maybe generic TLDs would

7/23/2010 9:31:06 PM

^did you clear dns cache? should have worked

7/23/2010 9:43:34 PM

I stopped the DNS Client service when I got into the habit of maintaining a major ad-blocking HOSTS file; it made my web browsing slow to a crawl on the regular while the DNS Client would regularly update the cache, because a 309KB HOSTS file (which without the optimizations would be about 450KB) is a lot to crawl through.

Also why I only use Lowe's list is that the others are too big and have some important false positives, like MegaUpload and SourceForge (not the domain itself, but some domains its assets are hosted on, without which the site won't show up); when I was first testing this out I would have a 5MB file and that makes my browsing way too slow anyway.

[Edited on July 23, 2010 at 11:09 PM. Reason : and just to test, I added google.com to the file, and it got blocked immediately

7/23/2010 11:07:47 PM

Set the proxy server in IE to be whatever (it can be valid or not). Add exceptions for the few sites you want to allow.

7/23/2010 11:20:12 PM

and then use Group Policy or something similar to keep the user from changing that setting

of course the best proxy to use is 0.0.0.0

[Edited on July 23, 2010 at 11:40 PM. Reason : also let only IEXPLORE.EXE access the webbernets

7/23/2010 11:40:18 PM