Blocking Internet

[goaliepride]

Im sure this has been asked for, so a link would be just fine and very helpful. This site isn't the easiest to search for things in.

Does anyone know a good way to block the Internet? So far I've set the IE homepage to something Internet saying they don't have Internet and setting their proxy server to their local machine through a program called desktop authority. This however does zilch for firefox/opera/whatever else.

any ideas?

*edit for clarity.

I would like to ban student access, just a few of them. Right now I have them in an active directory group

[antoeknee]

I think your question is a little vague.

Do you want to block for individual user?

or

a whole suite for a specific time?

Low cost on the fly option is BrowseControl, machine level one, selection or all in a suite. For teachers something like Ranger Remote works and they have control for their suite.

When we get new pupils we drop them in a group called banned which has wrong proxy info. Once we get their signed 'responsible use of the internet' form we remove the group from their profile. We use this to remove internet access to pupils who transgress by adding back into their profile!

[goaliepride]

I would like to ban student access, just a few of them. Right now I have them in an active directory group

[antoeknee]

Seems acceptable way to manage this. We don't get too many and just adding or removing the banned group from their 'members of' works well for us.

[FN-GM]

What we do is create an OU called “net ban” and on that OU set a group policy to point to a non existent proxy server. Anyone in that OU will not be able to access the internet. Just move the students between this out and the main on when you want to allow and disallow them.

[goaliepride]

As I understand it, the problem is that this is a setting for internet explorer, so it does not block say firefox or opera from getting to the Internet.

[FN-GM]

Set a software restriction policy so they won’t be able to open them apps when they are put in that OU.

[goaliepride]

The problem I see with that is that either you block them by name/where-installed which leaves open name changes and running off flash, or you block them by hash, in which case you better have a hash for every version of every browser.

I was hoping to have more of a universal no Internet methodology.

I do appreciate the response (/s) though, thank you

[FN-GM]

Do you not run a network version of FF?
What content filter and proxy server do you use?

[FN-GM]

Or you use a startup script to restrict security permissions on the firefox folder in program files for a particular group. Then add users to that group when they are banned.

[goaliepride]

I don't know what you mean by FF.

Filtering is done at the county level and is hands off for my group. Proxy is all done via Cisco.

The problem with a firefox script is that it's not just firefox I want to stop, and the fact that you could potentially run it from a flash drive.

[FN-GM]

FF = FireFox

Set the script to control the other apps.

Do you allow .exe's to be run from pendrives? That could potentially be a big security risk.

Can the Cisco proxy integrate with AD? You could also fine an opensource content filter of your own that can integrate into AD, im not sure the linux ones will allow you to do this though

[goaliepride]

as it is right now, students can run things from pendrives. I've walked into that setup.

it is a side question, but how do you personally prevent people from running things from pendrive/CD?

[FN-GM]

Do a quick search on the forums there are a few posts that will help you on that, there will be allot more information on there than i can provide.

Keywords to use are block, exe, pendrive.

[teejay]

Configure Cisco routers to use Active Directory authentication -- the Windows side
followed by
Configure Cisco routers to use Active Directory authentication -- the router side

Think that will do what you want. If you can't block individual apps then you have to do it by authentication on the Cisco firewall.

PS - make sure the time on the Cisco is in sync with your network time. If they are out by 5 minutes they won't authenticate. Caught me out a few times that one!