Whitelisting

KingFishKingFish
edited March 2005 in Science & Tech
Does anyone know how, or if it's even possible, to whitelist domains instead of blacklisting them through methods such as hosts file entries? We plan on deploying almost 50 laptops in the field but don't want them to access sites on the internet. However, we have some applications that use a web interface that is crucial for our people. We would like to use something native to windows and avoid third party programs if possible. Does anyone have anything in their bag of tricks that would accomplish this? Thanks in advance....

KingFish

Comments

  • profdlpprofdlp The Holy City Of Westlake, Ohio
    edited March 2005
    Putting them in your trusted sites should do it:
  • DexterDexter Vancouver, BC Canada
    edited March 2005
    But that won't block internet access to the browser or anything else. And even if you do a whole bunch of sites to the restricted sites list, or even "*.com", you are not restricting viewing of those sites, just ActiveX and Java permissions, etc. And, the Resricted Sites list is pretty easily defeated by deleting the entry from the restricted list, or using Firefox installed fro ma CD-ROM.

    I don't think you can do this without a 3rd party app. A software firewall would probably be the way to go. You could deny IE access to the Net, but allow your custom sites access. Or just block access to all destination IP's except the ones you need your custom apps to access. Then put a password on the Firewall's config, and voila, you have locked out and probably slightly annoyed users. :)

    Dexter...
  • KingFishKingFish
    edited March 2005
    You're right about the blocking of java/active x on the trusted sites list. It's meant to only whitelist sites with respect to running code rather than outright blocking period. I've already looked into that route. The other route we have contemplated is using content advisor but have decided to not go that route.

    From what I've dug up (or wasn't able to dig up depending on how you look at it) on the internet I didn't think I would be able to accomplish it without a third party app like zonealarm. I figured I'd give it a last ditch effort here on the forums before I started those firewall installs. As far as the annoyed users, screw 'em ;D . I'd rather lock them down rather than remove spyware from them continually. They were quite annoyed when I implemented group policy editor months ago too. I'll get out the kleenex for them now. Thanks Dex :cool:

    KingFish
  • DexterDexter Vancouver, BC Canada
    edited March 2005
    You could really piss 'em off by putting Net Nanny on them....

    ;D

    Dexter...
  • KingFishKingFish
    edited March 2005
    Funny you should say that.....it's one of the third party progs we were considering. I think I'm going with zonealarm pro
  • DexterDexter Vancouver, BC Canada
    edited March 2005
    Why not go with the cheaper version of Zone Alarm that also offers anti-virus protection? If the users are not going to be surfing the net, they don't need the privacy protection features that the Pro package offers. The anti-virus protection covers file-access scanning as well, so you would get scanning of any CD's or memory sticks plugged into the laptops.

    Dexter...
  • KingFishKingFish
    edited March 2005
    The regular version doesn't have the flexibility in the rules that the pro version does. I can block all ports and protocols in the pro version and specify exceptions that, in effect, creates whitelists. I can't do all of that with the standard version.
  • EMTEMT Seattle, WA Icrontian
    edited March 2005
    If you're still interested in doing it without a 3rd party prog: Maybe you could edit the routing table to throw most IP addresses out the window? I don't know anything about how to do that though (beyond looking at 'net route').
  • KingFishKingFish
    edited March 2005
    Well I've changed course a bit after tinkering with it all evening. Configuring zonealarm pro was a b**** in the expert rules and didn't even work right. After messing with that for about two hours I didn't think going the firewall route was the way to go. I then looked at review sites for various 3rd party web filtering programs and decided on cybersitter. Oh how appropriate for the children here ;D . It takes up a minimal footprint and works quite well.

    On the other hand and out of curiosity, anyone know about the routing table technique that EMT was referring to? I'd still like to know about it as it may be of benefit. Thanks again.

    KingFish
  • dodododo Landisville, PA
    edited March 2005
    wouldn't you need to know IP addresses for the net route? That would be hard to implement unless you ran through a proxy or something.

    ~dodo
Sign In or Register to comment.