Hello,

We have a Windows 2008 R2 Standard server with Service Pack 1 and IE 9.

All users in the domain get to the internet through the server and are allowed to visit any web site. Users have a combination of Windows XP Pro SP3 and Windows 7 Pro.

We would like to institute something to restrict user website browsing.

I found this information in a search of the web:

http://www.windowsecurity.com/articles/Restricting-Specific-Web-Sites-Internet-Explorer-Using-Group-Policy.html

It looks like this should work, but it seems like it would be a lot of work to either get the allowed sites into IE or the not allowed sites into IE.

Does anybody know of a file that can be imported into IE to populate the Allow this web site for Always or Never?

Any help anybody can provide to institute a website restriction policy would be gratefully appreciated.

Thanks,
Tony

Hello,

You can block URLs using group policies: http://www.grouppolicy.biz/2010/07/how-to-use-group-policy-to-allow-or-block-urls/

Personally, I would recommend using a Proxy server like TMG Forefront to filter Web access instead of using group policies.

 

I agree with Mr X.  While these GPO solutions will work for approving/blocking just a few sites, it will be difficult to manage in an Enterprise environment.  For more management and control, the optimal design requires a proxy & firewall configuration or URL filtering capable firewall.

 

Right , it works only with IE & complex management, go for a proxy if you want to block Sites. may be ISA or TMG you can utilize

• Marked as answer by Yan Li_Microsoft contingent staff, Moderator Friday, November 11, 2011 6:03 AM

best way is use proxy server(tmg 2010 ) on your enviorement.that is very difficult to manage websites from group policy.with a tmg 2010 there are some categories we can restrict user ip base or user base.

http://www.microsoft.com/en-us/server-cloud/forefront/threat-management-gateway-features.aspx

Hello,

Thanks for all the replies.

I don't know why it is so hard to figure out the pricing for the TMG 2010 product.  What I can determine is the product will cost about $1700.00 for the server and 16-20 workstations.  Not to mention my time and effort to install and set it up for the client.

Does that sound about right?  Is ISA much different in price?

Thanks,
Tony

then you can use some open source products.

http://www.untangle.com/

Hello Darshana.

Thanks for your help.

According to the information on the link that you provided, Untangle requires a "dedicated server".  Does that mean a seperate computer on the network with Windows server on it?  If so, i'm not sure of how that is much different in cost compared to using TMG 2010.

I'm not complaining about the price of TMG, i just wanted to be sure that i am looking at the right pricing for them and if ISA is an option also.

Thanks,
Tony

http://www.microsoft.com/en-us/server-cloud/forefront/threat-management-gateway-buy.aspx

you can get the idea about tmg 2010 licensing from above link

Hello Darshana.

Thanks for that information link.

I'm still unsure about what to do.  Is ISA part of TMG 2010?  I can't seem to find prices for ISA.

Thanks,
Tony

Tony,

I would recommend that you research this some more. There are alot of options out there from open source to dedicated appliances that can be integrated into your network.

Aside from Microsoft's product line, you have Sonic Wall, Blue Coat, Palo Alto, CheckPoint, etc.., etc...  Some of these traditional dedicated appliances also run in a VM configuration as well.

The very nice feature that I like about the MS products are the obvious easy integration with Active Directory.  However, some of the 3rd party solutions can provide additional features and reporting that may be lacking in other solutions.

 

Hello JM.

Thanks for your reply.

I was hoping to avoid any extended research on this issue.  Thats why I am here.

I would rather stay with a Microsoft solution for the same reason.

We just want to be able to control which websites are allowable by users on the domain.  Were not trying to find any sophisticated security solution.

Thanks,
Tony

We push out a hosts file through a script that redirects users to 127.0.0.0 for all sites they are not allowed to visit.

Hello Ghostta.

Thanks for your information.

How big is your hosts file?

Does the hosts file have the exceptions?

Thanks,
Tony

Just as a note for using DNS/Hosts file that you will need to consider.  For instance, if a user is an admin of their box, they can modify the hosts files if they want to bypass the restriction.  In any case, if this is what you are considering, I would simply recommend that you use DNS instead of the HOSTS file.  The reason is that DNS is a centralized solution.  When you update DNS, you are essentially updating name resolution for all of your clients.  otherwise, implementing via HOSTS file would require you to redeploy the updated file.  I have implemented this various times, but for a different reason.  For instance, this works well when fighting malware.  If a social engineering attack is made against your users by sending them an email with a malicious URL, they may click on the link.  The client will then resolve the URL by querying DNS.  If you create "black-hole" zones and point these zones to the loopback address (127.0.0.1), the browser will not connect the user to the malicious web site. 

However, using this method to prevent your users from access websites is also very easy to bypass.  For instance, a user (that's an admin of their box) can just configure their client to use a public DNS server (8.8.8.8) as an example.   You can prevent them from using other DNS servers, but you'll need to configure your perimiter firewall to prevent this (which is my recommendation of a proxy/firewall solution).

The Microsoft option is good, and very cost effective, and it integrates with other MS products.  Sounds like a good fit for your organization.  Anything other than proxy/firewall can easily be worked around by users.

 

150kb in Size.  And no, there are no exceptions in the hosts file.  I'd like to mention that we have moved away from the HOSTS file and now block via our firewall policies.