How can I cut off Internet connectivity on a PC in my network?

Discussion in 'OT Technology' started by cmsurfer, Apr 21, 2004.

  1. cmsurfer

    cmsurfer ºllllllº

    Joined:
    Jun 6, 2003
    Messages:
    5,079
    Likes Received:
    0
    Location:
    NJ
    I need to cut off the Interent access on a PC in my network at work. They will still need to get e-mail and access to network drives.

    Is there any easy way to do this? I posted this a while ago on a tech board and I got smart ass responses saying to un-plug the cable and other crap, but nothing worth looking at.

    The closest thing I saw was to restrict the use of IE by group policy, but that wouldn't stop anyone from going to start -> run -> and typing in a web address to get around it or clicking a link in an e-mail.

    Again, this is for my work, I want to do it right and not half-ass it.

    I'd appreciate any help.

    Thanks,

    CM>
     
  2. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    if you can, put in a proxy server between the office's internet connection and the lan, and use authentication to control who can access the internet and who cannot. if this is not feasible you might try a third party product like

    http://www.browsecontrol.com/
     
  3. cmsurfer

    cmsurfer ºllllllº

    Joined:
    Jun 6, 2003
    Messages:
    5,079
    Likes Received:
    0
    Location:
    NJ
    Thanks. I do not know how to setup a proxy server. Does anyone have any links to some kind of write-up or how to?

    CM>
     
  4. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    if you are comfortable with linux you can use squid for free.

    http://www.tldp.org/HOWTO/Firewall-HOWTO.html

    if not, i believe isa server is the microsoft solution. there are probably some other fine hardware packages you can buy prebuilt
     
  5. mdaniel

    mdaniel S is for Shiksa

    Joined:
    May 6, 2000
    Messages:
    52,499
    Likes Received:
    312
    Location:
    Northwest Mejicooooooo
    How about pointing IE to a non-existant proxy server (like 127.0.0.1) on that machine? Does that machine's email come from a local server? If so, it doesn't need any Internet access and you could manually configure its tcp/ip and remove the default gateway. That way it would have local network access but no Internet.
     
  6. cmsurfer

    cmsurfer ºllllllº

    Joined:
    Jun 6, 2003
    Messages:
    5,079
    Likes Received:
    0
    Location:
    NJ
    Yea, e-mail comes from an in-house server. Thanks, I guess I'll do it that way for now.

    CM>
     
  7. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    If they don't need any outside contact, just don't fill in the gateway address.
     
  8. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    you can hobble machines individually, but that becomes an administrative nightmare on a large enough scale and a savvy user can always get around it. i would control it centrally and hand out or revoke authentication as required by management.
     
  9. mdaniel

    mdaniel S is for Shiksa

    Joined:
    May 6, 2000
    Messages:
    52,499
    Likes Received:
    312
    Location:
    Northwest Mejicooooooo
    True. But from his question, I got the impression that he was just looking to cut off a single machine and I gave a couple of quick and free options. I did bookmark your link to Browse Control. It looks like a pretty cool product.
     
  10. cmsurfer

    cmsurfer ºllllllº

    Joined:
    Jun 6, 2003
    Messages:
    5,079
    Likes Received:
    0
    Location:
    NJ
    Thanks for all the replies. Yes, I just need to cut the access on one or two machines on the network, for now at least. I'm not looking to spend money on a software application, but that Browse Control looks pretty cool.

    The user just needs to get e-mail and we have an in-house e-mail cube. The user will also need access to network drives.

    I guess right now, I can just setup a fake proxyon the machine for now and see what happens...

    5Gen_Prelude - All machines but the servers are on DHCP. How can I not fill in the gateway address when it's all obtained automatically?

    CM>
     
  11. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    good point
     
  12. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Reservations can have custom DHCP options :wiggle:
     
  13. Little Spunky $#!T

    Little Spunky $#!T :cool:

    Joined:
    Jul 16, 2001
    Messages:
    3,539
    Likes Received:
    0
    I know that with my Linksys Wireless G Router I can block certain IP's from accessing the intraweb
     
  14. mdaniel

    mdaniel S is for Shiksa

    Joined:
    May 6, 2000
    Messages:
    52,499
    Likes Received:
    312
    Location:
    Northwest Mejicooooooo
    You don't say if your DHCP server is a SOHO router, a Win2000 Server, Unix/Linux, etc. Your DHCP server controls a range of IP addresses. In the case of a router, it might be 192.168.0.2-192.168.0.50. Just manually assign the machine in question an IP address outside of that scope, like 192.168.0.51.
     
  15. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    :uh: this is the easiest thing of all. if you can block it at the router, either by assigning a static ip to the machine and blocking it explicitly, or depending on the router, by modifying the acl for internal traffic to access the outside you can do it in one place with current hardware (except that you have to set the blocked pc to static ip)
     
  16. cmsurfer

    cmsurfer ºllllllº

    Joined:
    Jun 6, 2003
    Messages:
    5,079
    Likes Received:
    0
    Location:
    NJ
    Sorry, forgot to mention that we have Comcast cable Internet and they supplied the router. We actually just got a new one from them. It is a SMC modem/router as one unit. But, they manage everything about it, so I can't touch it...

    CM>
     

Share This Page