TechSpot

How can I disable web browsing using IE on PCs connected in LAN?

By Adam22
Jun 5, 2007
  1. Hello everyone!

    Im working in a company as an IT personnel. Now Im maintaining a LAN (3 different LANs) connected thru a Router and a switch. The first 2 LANs have internet access - a DSL modem was connected to the router then thru a switch; while the 3rd LAN has no internet connection.
    All LANS are working just fine. My problem is, in the 2 LANs where internet connection is present and available, there are 52 computers connected in a WORKGROUP (there are 8 different workgroups). But, among the 52 computers, ONLY 8 users are ALLOWED to browse the WEB thru IE. The IT personnel whom I replaced, just hidden the IE icon from the desktop and made the IE file attribute in the WINDOWS folder "hidden" so that users can't launch the Web browser. But users here are smarter than the IT staff *grin* because some were graduates of Computer Engineering courses and they were able to browse the web anytime they wanted. Then the previous IT personnel just installed a kind of spyware that kept screenshots of the user's web activity. And it worked just fine. Anytime the IT people caught any websurfing thru that spyware, they just informed the management for sanctions.
    In my case, I'm searching the web now to get some help and ideas on how to disable the IE to prevent users to accsess the internet, or find some helpful registry tweaks, if there are, to prevent users from accessing the internet thru IE.

    Thank you for your help!
    -JM
     
  2. Nodsu

    Nodsu TS Rookie Posts: 9,431

    What makes you think registry tweaks would defeat the CE masterminds? They would just undo the registry thing.. :p

    Now, do you want to disable web browsing completely or just prevent them from using IE?
     
  3. Adam22

    Adam22 TS Rookie Topic Starter

    I want to prevent them from using IE. But if you can also tell me how to completely disable web browsing to "selected" users on LAN, i will greatly appreciate it. Thanks.
     
  4. k.jacko

    k.jacko TS Rookie Posts: 743

    Seeing as you're on workgroups and not a domain, can't you just go to each pc, log in as an admin and alter group policy?
    Its gonna be a bit of a job doing it on so many pc's, but then thats your company's fault for not have a DC, tight gits.
    That many pc and groups = DC for sure!!

    Anyway, as long as your users log in as restricted users i'm sure you can do what i've suggested.

    Or.... are they on DHCP? If not, then is your router decent enough to lock down the relevent ports (80, and possibly 8080) on all IP's except the ones you want to have access.
     
  5. Nodsu

    Nodsu TS Rookie Posts: 9,431

    And what would you do in group policy to prevent users from running program X? Block iexplore.exe? I could rename it. Delete iexplore.exe? I can download my own.. Seriously corrupt IE registry settings so it can't function? That's an idea..

    The only way on the client machine would be a software firewall taught to block iexplore.exe. (Or block everything but specific apps).


    The better way to block IE would be to set up a web proxy that blocks requests by user agent string. (Yes, that can be hacked too of course.)


    To block network access completely, you just set up firewall rules on your router.
     
  6. jobeard

    jobeard TS Ambassador Posts: 13,521   +336

    1. in general, block outgoing requests on port 80
    2. for those authorized, use a proxy configuration
    on the proxy, make the client port other than port 80, and send the
    real requests on a second NIC which does not have port 80 closed.
     
  7. Adam22

    Adam22 TS Rookie Topic Starter

    Thanks everyone! I now have great ideas from all of you guys... I'll try to make testings or experiments with some PCs today. Anyway, I have a problem with the LAN setup here and the internet setup as well. These are all new to me because this is only on a workgroup........ no dedicated server to govern the rest of the PCs. Actually, I dont how how they configured the switch and the router..... Today is my 5th day of work that's why all I did was tracing everything to have a good grasp of the network setup we have.
    OK here is a scenario. WHENEVER the SWITCH and ROUTER are turned ON, any PC can access the WEB.... so, what do you think? How can I restrict ports from the router configuration? Imn sorry Im really new to these..... Thanks!

    And.... IP assignments are through DHCP, so IPs are not constant.....
    And.... no computer is directly connected to the router, shall I connect ONE computer directly to the router so that I can configure the router to BLOCK port 80 on selected PCs on LAN?
     
  8. ellyquim

    ellyquim TS Rookie

    Hope i am right.. as you mentioned earlier your LAN connection setup is like this a dsl modem > router > switch > group of PCs. You can actually block port 80 or 8080 on a router but you have to do it on static ip addressing in order to block a range of ip address or since i dont usually look at my router everyday. You can block the mac address of the pc even if your running DHCP..mac address for sure is unique in every NIC
     
  9. Nodsu

    Nodsu TS Rookie Posts: 9,431

    First, the switch is unimportant. From IP point of view it is a transparent dumb device. (Unless it is some kickass managed monster from Cisco or suchlike..)

    Also, the router may be so smart that you can make it assign a specific IP to a specific MAC through DHCP, so you wouldn't have to go to each PC to give them static IPs..

    The router should have a packet filter kind of thing. Ideally you would block everything and then add some "allow" rules for specific machines and specific services.
     
  10. k.jacko

    k.jacko TS Rookie Posts: 743

    Half agree with you mate, but wouldn't he have to go to every pc to find their mac address? The same amount of work as statically assigning IP's i would have thought.

    I did mention in my first post that port blocking seemed the best option, a few seem to agree. It does seem the simplest solution as long as he has got a decent router/firewall.

    As regards group policy, surely *****s that try to hack around it are subject to severe discplinary procedures. I use it at my workplace. No one tries to fool the system because they either don't know how to, or they would be in big trouble if they did.
    __________________

    Edited by Moderator: Removed quote. There`s no need to quote the post directly above your own, unless you`re only replying to a specific section, in which case you would only quote that section. ;)
     
  11. johnalvin

    johnalvin TS Rookie

    Just go the the 8 users who are allowed to use the IE then list down their MAC address, then add those MAC address to your allowed rules.
     
     
  12. Nodsu

    Nodsu TS Rookie Posts: 9,431

    The router's DHCP page reports all assigned IPs and MAC addresses.
    Also, you can easily find the MAC addresses of all the computers on your local LAN with the arp command and ping (or any network mapper like nmap).
     
  13. k.jacko

    k.jacko TS Rookie Posts: 743

    ....so the router presents a table detailing mac address and IP address and more importantly computer name (so we know who is assigned what)?
    Oh yeaahhhhh i remember now, thanks, lol.

    Edited by Moderator: Removed quote. There`s no need to quote the post directly above your own, unless you`re only replying to a specific section, in which case you would only quote that section. ;)
     
  14. Adam22

    Adam22 TS Rookie Topic Starter

    Thanks everyone! You helped me a lot! Now I made the blocking of MAC Addressess of the computers who are not allowed to access the internet. I tried it with one PC and I think it will apply to all. I used the router's Web Utility interface at 192.168.1.1 blocking their MAC addresses from the Security Tab! Thanks........ If there would be any problem from then on...I will let everyone know....:) Thumbs up to all of you guys!!!
     
  15. computerexpert1

    computerexpert1 TS Rookie

    You could do all of the above listed ideas and ways, or you could logon to the Server computer, and set access restrictions through the server computer.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.