Re: suspiciously inactive user

I use an anonymous proxy service like the-cloak.com . Works fine as long as they havn't blocked it. There are many too. Check what sites he is visiting to see if this is the case. Here in Thailand the government have the ISP's block certain sites but they are all available using this method. Have also used this method on large NGO's networks that are very strict, to good effect. He should not be able to download using this method though.
There are also some utilities you can download freely that will 'tunnel' and allow you to dowload etc, http://www.htthost.com/ check their 'quick overview' for detailed explanation of tunneling.
here is a non free one http://www.bypass.cc/ and check here for general info on proxy bypassing http://www.zensur.freerk.com/ and here http://www.peacefire.org/circumventor/simple-circumventor-instructions.html for a detailed explanation of one method a previous poster mentioned.

Hope this helps.
BaDboD

I have a 192.168.x.x private network setup. Users access the Internet via ISA 2000. No user has a default gateway setup on their PC other than myself nor do they have the firewall client installed so they cannot access the Internet directly.

The ISA server has a program called iFilter running on it that restricts Internet access based on a set of rules I setup. It stops porn, program downloads, gambling, ad sites, etc. I know that the restrictions are working because I get violations all the time from almost every user exept for one. I am very suspicious because this one user was always the biggest complainer and the biggest violator for downloading exe files, zipped demo programs, etc. which I do not allow.

Over the past few months he has not had a single violation or complained about the restrictions. His Internet activity log is also a lot smaller than what I would think it should be especially for the research that he is doing. This leads me to believe that he is bypassing the ISA server.

I have checked his computer remotely and saw that he does not have a default gateway setup and it appears his browser is configured correctly so there is nothing obvious. The person is a programmer so they have enough knowledge to find shady utilities to help them bypass the ISA. Because they are a programmer I need to allow them to be a local administrator on their computer so it is difficult to prevent them from using, say, the NET command to and remove the gateway at will or bringing in a shady utility that allows them to surf anonymously.

Normally I would just confront this person and tell them that I am going to audit their PC based on my suspicions, but they know some higher ups on a personal level. I do as well, but I don't want to get this into a pissing match over suspisions. I want something that I can prove.

Are there any security programs that detect shady utilities that are designed to bypass proxy and ISA servers? I need to be able to monitor this PC remotely and get some type of report that shows what he is really doing and compare that to what ISA and my iFilter program is logging.


.