Saw this thread : http://www.edugeek.net/forums/securi...ass-sites.html
Made me think - is it possible to create another 2 groups ( one whitelist and one black list on top of the original white list and black list that you already have ) and then link the 2 newly created groups to a specific OU ie web restricted so that you can still give those students access to your VLE, the bbc and only specific learning websites and then ban any other websites in the black list by using a wild card of some sort ?
Then also on the OU apply a hash of IE any other web browser exe's to stop them from launching any of the web browsers ( not sure if that will stop them using my computer to browse the web or using word - creating a link in word and then ctrl clicking the link ).
Also how do you disable the address bar in my computer ( aka explorer.exe ) ?
You can only define access rules via groups through ISA so you would need to move the restricted users into a specific group as well as an OU. You should be able to have multilayered white lists but why not simply have a core list that is right at the top and always accessible, ie VLE then have the white list applied to all users apart and denied to your blocked group after that.
Don't think about disabling "other browsers" - it's a losing game. Some toerag will come in with a mod'd firefox on USB or whatever.
Block port 80 outbound pon your firewall. Open it for your proxy and anything else that absolutely categorically won't play ball with your proxy (few things really come into this category - if you have one, LMK, I can solve most of them for most proxies...). Then it doesn't matter a curse if someone uses word, or firefox, they will get nowhere.
Next stage is to either block, or heavily filter unauthenticated proxy users, so if they don't auth, they don't win.