How can I disable web browsing using IE on PCs connected in LAN?

Status
Not open for further replies.
A

Adam22

Hello everyone!

Im working in a company as an IT personnel. Now Im maintaining a LAN (3 different LANs) connected thru a Router and a switch. The first 2 LANs have internet access - a DSL modem was connected to the router then thru a switch; while the 3rd LAN has no internet connection.
All LANS are working just fine. My problem is, in the 2 LANs where internet connection is present and available, there are 52 computers connected in a WORKGROUP (there are 8 different workgroups). But, among the 52 computers, ONLY 8 users are ALLOWED to browse the WEB thru IE. The IT personnel whom I replaced, just hidden the IE icon from the desktop and made the IE file attribute in the WINDOWS folder "hidden" so that users can't launch the Web browser. But users here are smarter than the IT staff *grin* because some were graduates of Computer Engineering courses and they were able to browse the web anytime they wanted. Then the previous IT personnel just installed a kind of spyware that kept screenshots of the user's web activity. And it worked just fine. Anytime the IT people caught any websurfing thru that spyware, they just informed the management for sanctions.
In my case, I'm searching the web now to get some help and ideas on how to disable the IE to prevent users to accsess the internet, or find some helpful registry tweaks, if there are, to prevent users from accessing the internet thru IE.

Thank you for your help!
-JM
 
What makes you think registry tweaks would defeat the CE masterminds? They would just undo the registry thing.. :p

Now, do you want to disable web browsing completely or just prevent them from using IE?
 
I want to prevent them from using IE. But if you can also tell me how to completely disable web browsing to "selected" users on LAN, i will greatly appreciate it. Thanks.
 
Seeing as you're on workgroups and not a domain, can't you just go to each pc, log in as an admin and alter group policy?
Its gonna be a bit of a job doing it on so many pc's, but then thats your company's fault for not have a DC, tight gits.
That many pc and groups = DC for sure!!

Anyway, as long as your users log in as restricted users i'm sure you can do what i've suggested.

Or.... are they on DHCP? If not, then is your router decent enough to lock down the relevent ports (80, and possibly 8080) on all IP's except the ones you want to have access.
 
And what would you do in group policy to prevent users from running program X? Block iexplore.exe? I could rename it. Delete iexplore.exe? I can download my own.. Seriously corrupt IE registry settings so it can't function? That's an idea..

The only way on the client machine would be a software firewall taught to block iexplore.exe. (Or block everything but specific apps).


The better way to block IE would be to set up a web proxy that blocks requests by user agent string. (Yes, that can be hacked too of course.)


To block network access completely, you just set up firewall rules on your router.
 
  1. in general, block outgoing requests on port 80
  2. for those authorized, use a proxy configuration
on the proxy, make the client port other than port 80, and send the
real requests on a second NIC which does not have port 80 closed.
 
Thanks everyone! I now have great ideas from all of you guys... I'll try to make testings or experiments with some PCs today. Anyway, I have a problem with the LAN setup here and the internet setup as well. These are all new to me because this is only on a workgroup........ no dedicated server to govern the rest of the PCs. Actually, I dont how how they configured the switch and the router..... Today is my 5th day of work that's why all I did was tracing everything to have a good grasp of the network setup we have.
OK here is a scenario. WHENEVER the SWITCH and ROUTER are turned ON, any PC can access the WEB.... so, what do you think? How can I restrict ports from the router configuration? Imn sorry Im really new to these..... Thanks!

And.... IP assignments are through DHCP, so IPs are not constant.....
And.... no computer is directly connected to the router, shall I connect ONE computer directly to the router so that I can configure the router to BLOCK port 80 on selected PCs on LAN?
 
Hope i am right.. as you mentioned earlier your LAN connection setup is like this a dsl modem > router > switch > group of PCs. You can actually block port 80 or 8080 on a router but you have to do it on static ip addressing in order to block a range of ip address or since i dont usually look at my router everyday. You can block the mac address of the pc even if your running DHCP..mac address for sure is unique in every NIC
 
First, the switch is unimportant. From IP point of view it is a transparent dumb device. (Unless it is some kickass managed monster from Cisco or suchlike..)

Also, the router may be so smart that you can make it assign a specific IP to a specific MAC through DHCP, so you wouldn't have to go to each PC to give them static IPs..

The router should have a packet filter kind of thing. Ideally you would block everything and then add some "allow" rules for specific machines and specific services.
 
Half agree with you mate, but wouldn't he have to go to every pc to find their mac address? The same amount of work as statically assigning IP's i would have thought.

I did mention in my first post that port blocking seemed the best option, a few seem to agree. It does seem the simplest solution as long as he has got a decent router/firewall.

As regards group policy, surely *****s that try to hack around it are subject to severe discplinary procedures. I use it at my workplace. No one tries to fool the system because they either don't know how to, or they would be in big trouble if they did.
__________________

Edited by Moderator: Removed quote. There`s no need to quote the post directly above your own, unless you`re only replying to a specific section, in which case you would only quote that section. ;)
 
Just go the the 8 users who are allowed to use the IE then list down their MAC address, then add those MAC address to your allowed rules.
 
k.jacko said:
Half agree with you mate, but wouldn't he have to go to every pc to find their mac address? The same amount of work as statically assigning IP's i would have thought.
Click to expand...
The router's DHCP page reports all assigned IPs and MAC addresses.
Also, you can easily find the MAC addresses of all the computers on your local LAN with the arp command and ping (or any network mapper like nmap).
 
....so the router presents a table detailing mac address and IP address and more importantly computer name (so we know who is assigned what)?
Oh yeaahhhhh i remember now, thanks, lol.

Edited by Moderator: Removed quote. There`s no need to quote the post directly above your own, unless you`re only replying to a specific section, in which case you would only quote that section. ;)
 
Thanks everyone! You helped me a lot! Now I made the blocking of MAC Addressess of the computers who are not allowed to access the internet. I tried it with one PC and I think it will apply to all. I used the router's Web Utility interface at 192.168.1.1 blocking their MAC addresses from the Security Tab! Thanks........ If there would be any problem from then on...I will let everyone know....:) Thumbs up to all of you guys!!!
 
You could do all of the above listed ideas and ways, or you could logon to the Server computer, and set access restrictions through the server computer.
 
Status
Not open for further replies.

Similar threads

Daniel Sims
ChatGPT can browse the web for answers once again, voice and image recognition are also...
Replies
1
Views
303
holydiver
H
Cal Jeffrey
OpenAI yanks Bing integration from ChatGPT after users "exploit" bug to bypass paywalls
Replies
5
Views
575
Cal Jeffrey
Cal Jeffrey
A
Microsoft will let Internet Explorer's empty husk live on in Windows
Replies
4
Views
437
SilentMajority
S

Latest posts

Back