Re: How to restrict Internet access for certain PCs to certain web sites?

"Charles Newman" <charlesnewman1@comcast.spam-me-not.net> wrote in message
news:dZidnTtLkPjIow_e4p2dnA@comcast.com...
>
> "Squish" <guest@yourplace.now> wrote in message
> news:3c3to11q56jo3dau11oq4tin2hlhpgl7v7@4ax.com...
>>I have a few PCs that I want to limit their Internet access to nothing
>> more than Windows updates and AV updates. All other Internet access I
>> want blocked but I want to preserve LAN access via TCP/IP. Is there
>> an easy solution for this like a proxy software that I can place on a
>> server somewhere so that I do not need to configure each PC? I was
>> thinking about setting the gateway on these PCs (via the DHCP
>> reservation) to the IP address of the server with this software and
>> setting up various access rules on this server as necessary. This is
>> for a MS Windows environment but I could build and use a Linux box if
>> necessary. Please reply to the group, e-mail addy is not valid. TIA.
>
> You will to have two proxy servers, like I have on my network. One
> is unrestricted, and is filterd, and does not require authentication, and
> the other, requiring authentication, is unfiltered. That way, those users
> authorized for unfiltered access can log on to the unfiltered proxy.
> You just need to run two proxy programs on a PC running something
> like AllegroSurf. Then you just set up your proxies. ProxyPro is
> good for this, as it supports authentication, and then you use another
> filtered system, such as CyBlock, for the filtered proxy.
>
> What you want to do cannot be achieved through a firewall
> appliance, you will need something with a little more muscle.

Incorrect. With any Fortigate firewall appliance, I can filter by category
and create entirely different profiles to be applied to different sets of
IP's. No changes whatsoever are required on any of the machines, you simply
add them individually or via subnet masks to create groups which are applied
to the policies.

In the case of only wanting a very few addresses to be possible, rather than
only a few categories, I would simply create a set of whitelisted addresses
and/or top level domains, and enable that feature for the address groups in
question, leaving the others unfiltered. Or, I might still choose to block
porn and adware for the rest of the unfiltered PCs just for good measure.
You could add authentication to any of these policies if you choose, and
when the new firmware for these boxes comes out in a few weeks, it will even
use active directory groups to authenticate policies, and can even be
configured to allow an override to the category block with proper
credentials, allowing an admin to get to a different page for a special
download even on a filtered machine, for example. And it can all be logged.

The nice thing with this setup is that you can control it all centrally from
the appliance (via a browser); adding or removing pc's from each group, or
modifying the policies for each group as needed, without touching the PC's.
Not to mention you can enable intrustion prevention, Antivirus, SPAM
filtering, and VPNs on the firewall if you are interested in those also.

Is that muscle enough for you?

-Russ
Received on Sun Dec 11 14:24:10 2005