controlling access to internet sites

[matt_richards]

Hello there,

I am looking for a way of restricting access to a very limited subset of internet sites - specifically hotmail. This is for use in a work environment where people need to be able to access their hotmail accounts - but the paranoid bosses are concerned they will have a free reign to surf the internet.

I have tried using the content advisor in IE6, but I cannot find an "only allows this site" function. Also, I don't know if the fact that hotmail will link to other sites - including the secure server for emails - will complicate the blocking procedure.

I would be very grateful for advice, as I need to implement this system as soon as possible.

Thanks in advance,

Matt.

[morriswindgate]

The old problem of limiting access. The problem with this is that if you place enough limits on the access all you people will be able to access is porn sites. Take for instance you exclude the word "Nude." so now you cannot get on a site that sells a nude color leather chair. Or the word "Virgin" so a person cannot get to a site to buy something mad out of Virgin Vinyl.
The best way to control access is to have a written policy concerning Internet usage at workthat everyone reads and signs.

[matt_richards]

Interesting point mate,

Unfortunately in this situation, a written policy would be entirely inappropriate and only an electronic solution will be acceptable. Incidentally - how do you set up filters which block sites according to keywords?

Cheers,

Matt.

[GaryRouth]

Well, a hardware solution would be to cache only cetain sites in a proxy server & only allow them access to the proxy. This is very close to what is often referred to as an "Intranet" - with mainly company specific news & sites, human resources areas, etc.

This tends to be a managerial headache if things want to be opened up a bit, since each site has so many outward pointing links that won't be on the proxy unless manually added.

What I'm hearing from friends in technical industries is that they are allowed full access - in exchange for a written policy against misuse/overuse (like morris noted) - and with full knowledge that they are tracked wherever they go or whatever they do on the internet while using a company computer (using tracking software).

I don't know all the details - but that's a general idea. Seems like ExtremeTech.com had some articles on it a while back. I imagine something like InfoWorld might handle this issue a lot, too.

Best of luck
. . . Gary

[matt_richards]

Thanks for the feedback,

I don't really want to use a hardware solution, as it seems a bit overkill for my purposes.

Surely there must be a piece of software which someone can recommend that runs under windows and controls access to sites which a supervisor specifies, denying access to all others. It does not need to be 100% hacker proof as the people I am dealing with are not going to be trying to bypass it.

Incidentally, what tracking software would you recommend.

Thanks again,

Matt.

[Horsepwr]

The book Visual basic 6 from the Ground Up by Gary Cornell came with a basic browser which you could change the code. I just removed the address bar and the search function and made the home page with no outside links so the only place they can go is to my intranet databases. Only problem in your case is if they go to a hot mail account they may have access at that site to go elsewhere. But maybe you could use this in some way.

[Hot Rod]

Would something like Net Nanny fill your needs?

http://www.netnanny.com/products/netnanny5/intro.html

[TheOldMan]

Matt,

Here is the "restrict to certain sites" function of Content Advisor.
How to Configure Internet Explorer to Block Access to All But Approved Internet Sites

Just remember that it has to be done on each and every computer. Others have already suggested the "best" approach; an "Acceptable Use Policy."

Another suggestion would be to use the Security Policies. It can be set up and then distributed to individual computers. Here is a link to help with PolEdit

Good luck.
The Old Man

[matt_richards]

Thanks for all the feedback,

This is indeed a tricky issue but I have got a few things I can try now. First, I don't think my visual basic knowledge is strong enough to dabble, plus I really do need to stick with IE. I will look into net nanny 5 - there may be some way to adapt it to my needs. Finally, I am going to experiment with the content advisor some more - that microsoft article looks very promising.

I agree that the "acceptable use" policy would be most logical, but it simply would not be appropriate in this environment.

Thanks again,

Matt

[morriswindgate]

Why do you say that a written policy is not a valid alternative? Also if you are wanting to restrict access, why in the hell is your company using Hotmail, which is the biggest spam generator for adult and questionable links out there. I mean there are hundreds of thousand websites that tell you how to hack Hotmail on the internet. Nothing on hotmail is secure.
If the people running your company have a real desire to do something and not just react to something they have heard. First get a webhosting service, such as Powweb which advertises on PC Mech, You can put up nothing more than an info page on the address, but it will give you a set of dedicated E-Mail address for you employees and along with that control over the E-mail. And then put in a written policy with substansial penalties for violations. And talk some reason into your bosses. In todays workplace employees should be allowed to use the internet for limited personnal reasons, these can be limited shopping, radio and multimedia, news, and a few others. To blindly limit the employee will not only create a negative environment, the precieved lack of employee trust leading to reduce loyalty, but it will also limit innovation of the use of technology. For instance, the last time I dropped in on a client of mine to see how the computers were doing, I noted that AIM was installed and since he had previous service problems that were due to downloaded shareware/spyware/file-sharing software, I ask him about it. He told me that his office gal had set up to IM with the gals at his suppliers so that she can keep current.
And just to let you know, the problem of the software being installed on his machines was handled with nothing more than a letter from me that all of his employees were required to read and sign, which explained why the installation of these programs were problems and the fact that it cost the boss a couple of hundred bucks every time I had to come out and straighten out the network/Internet access problems.

[matt_richards]

morriswindgate:

It is very easy to talk in terms of ideal-type generalisations, but when you are dealing with a very diverse range of customers, it is necessary to adapt to their specific needs. It is not always practical to rip out an existing system and replace it with a model installation - instead I have to build around what is already present, phasing out pre-existing systems as I go along.

I didn't say that the "written policy" was not valid but just that it was not appropriate in the particular business environment in which I am doing this installation. As I have direct experience of this client's idiosyncracies, I am better equipped to make this judgement.

I could not agree more about hotmail being a spam magnet, but unfortunately not every installation is textbook. I have to take into account legacy systems which are in place - as a lot of people have established hotmail accounts, it would not be viable to immediately terminate them.

My company has a well established web hosting service and when we are implementing a system from scratch this will typically be implemented.

Your comments about today's workplace are too general and too idealistic to be of any relevance here. In this case the computer system has been introduced - at significant expense - to greatly reduce much of the tedium associated with the employees' jobs. I am not acting as a moral adjudicator - as such I am not going to trouble myself with what constitutes legitimate personal use. I will however say that if you genuinely believe that employers should allow staff to shop, listen to the radio, check out the news and enjoy the coverall category of multimedia on work time, you can't have much real-world business experience. What I am talking about is not "blindly limiting" internet access, but rather utilising it for a very specific purpose .

I am eager to maintain the hitherto constructive spirit of this thread and stop it from degenerating into rant territory, so I will simply ask that you focus on the specific question that I asked without needlessly editorialising.


Matt Richards

[GaryRouth]

Hi again all

Looked around a little, and there are a lot of filtering type of programs. Here's a link to Yahoo's list:
http://dir.yahoo.com/Business_and_Ec...and_Filtering/

You could look the list over & see if there's anything there that might do. The idea to limit to specific sites via Content Advisor might do if the list of sites is fairly small.

I was also wondering if your firm plans on using something like IBM Director - the remote management software for networks. I wonder if they have a plug-in module for controlling Internet access on a per-site basis. The thing about programs such as Director is that they are designed for large networks and have a price tag to match. But they have handy tool sets for what they do - I couldn't find the exact info to see if it can control Internet access on a per-site basis, though.

Hope it turns out OK - it's a tough question.
. . . Gary

[p.s. ...you'd asked about tracking software . . . I think that many of the filtering programs perform tracking as well. At one extreme end are keyloggers, which record all keyboard & mouse activity - I don't have much personal experience with these, but I can check this weekend with the Internet Systems Administator at my work.]

[matt_richards]

Thanks for looking into that GR, that's very helpful.

I am just looking through those programs now and I am going to try them out - along with the content advisor workaround - on my own machine first. I haven't got to implement the system til next week so I will have chance to check this out properly over the weekend.

In terms of monitoring, I don't think I will need to use it in this specific case, but it is definitely something that I need to explore for future reference. If you could check with your administrator guy and post back, that would be excellent.

Cheers mate,

Matt.

[matt_richards]

I think I have my particular problem nailed down,


First the problem of restricted internet access has been nicely addressed with the content advisor fix. I've no doubt this is far from hacker-proof, but I'm just dealing with regular people here not the cult of the dead cow.

As far as the hotmail access is concerned, as I feared the ever-changing nature of the url's threw up problems with the permitted site list. I went through every permutation of normal hotmail use, allowing each site. Unfortunately, it would spontaneously demand the supervisor password because an address has changed.

To get round this, I switched over from the web interface and set the accouts up through outlook express.

Thanks for the input folks,

Matt.