Re: Restrict browsing

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

---

• From: "Vanguard" <vanguard.code@xxxxxxxxxxxxxx>
• Date: Sun, 27 Nov 2005 12:58:03 -0600

---

"BenJi" <BenJi@xxxxxxxx> wrote in message news:O59YE3r8FHA.1028@xxxxxxxxxxxxxxxxxxxxxxx

But I dont want to go that deep.
These rules are for mobile units used by field technicians. I want to implement this kind of rules, and I know it is possible, as I saw them implemented in a public library. Browsing was limited to a dozen of sites, through the Windows registry...

"Vanguard" <vanguard.code@xxxxxxxxxxxxxx> a écrit dans le message de news: %23xU56Vr8FHA.3416@xxxxxxxxxxxxxxxxxxxxxxx

"BenJi" <BenJi@xxxxxxxx> wrote in message news:%23c9YfEr8FHA.3976@xxxxxxxxxxxxxxxxxxxxxxx

Hi!
I'm looking for the way to restrict Internet browsing only to a small list
of allowed sites, through the registry, without using things such as "content
advisor".

It is comparable to the RestrictRun for Windows processes...

Thanks in advance
BenJi

And how will you prevent users from booting from a CD that loads an OS to do their browsing? Nothing of the registry in your OS will get used. You cannot completely restrict browsing by editing the registry or the use of censorware on the host to which you permit access. If the user has physical access to the computer, they can bypass any security you have implemented on it. After all, all they have to do is visit the newsgroups to ask how to nullify whatever you implemented on the host you let them use. You need to use an upstream host or a firewall (which is inaccessible to your users) to restrict where your users can go.

The enablement and list of sites specified by Content Advisor are stored in the registry, so instead of going through the UI interface to Content Advisor under Internet Options to update the registry keys, you could just put them into the registry directly.

Internet Options also lets you specify which sites to include in the Restricted Sites security zone but that is just another UI to update the registry so you could also directly add/change values in the registry. However, the Restricted Sites security zone does not bar you from visiting a site, only in what features the browser will support when you download pages from there.

The hosts file can be used to block access to sites but only by specifying their IP address, and there may be several IP addresses used by front-end or boundary hosts in a host farm for a domain. You can also only block sites by having the hosts file redirect to localhost (127.0.0.1) rather than specify only which hosts to allow. There are far too many IP addresses for all hosts you want to block to put into a hosts file.

If you don't want to use a software firewall, IPSEC, or censorware, and which blocks changing its settings unless an administrator account is used or a password provided that only you know, and only if they hash their registry keys so they cannot be identified by name to a hacker and their values are hashed to provided detection of the change, then editing some registry keys won't do you any good unless something actually uses those registry keys. You could, for example, go to the advanced properties for filtering options in your TCP/IP protocol and define which IP addresses (not IP names) to allow or block, but again the users can change those although you might thwart some users who don't know how to get around admin permissions under Windows.

Look at the TCP/IP properties for your LAN connectoid (or dial-up if that is what you use), advanced, select TCP/IP protocol, properties, advanced, options, TCP/IP filtering, properties. Might be good enough for what you want. I haven't checked this feature but I suspect it adds registry settings under the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip" registry key. So if you make sure that none of your users's accounts are in the Administrators group then they cannot [directly] edit the registry or load ..reg files to change any settings in there. If you give them admin permissions for their accounts then you give them the same permissions that you have.

.

---

• References:
  • Restrict browsing
    • From: BenJi
  • Re: Restrict browsing
    • From: Vanguard
  • Re: Restrict browsing
    • From: BenJi

• Prev by Date: Re: runtime error
• Next by Date: Re: Font corrupted in OE6
• Previous by thread: Re: Restrict browsing
• Next by thread: Re: IE6 crash with SUN JVM
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Backdoor.Nibu.E. ... It seems straight forward but does not work :-( ... I did a search for all files containing the words "hosts" ... As for the registry, i edited the ... I have disabled system restore and everything else. ... (microsoft.public.windowsxp.general) Re: A problem with "hosts" file: hostnames with dots are not being resolved ... but a qualified antivirus program can do this. ... Registry appears to be OK. ... But doesn't that happen simply because I have two names in the HOSTS ... Pinging zzyzx.com with 32 bytes of data: ... (microsoft.public.win2000.dns) Re: Slow DNS Resolving ... Windows CE stores that information in the Registry, ... MSDN for more info: ... where can I find the Pocket Pc Hosts file? ... (microsoft.public.dotnet.framework.compactframework) Re: Why is hosts file not being used? ... > I have a couple of applications that rely upon the hosts ... > made a registry change. ... (microsoft.public.win2000.networking) Re: Why is hosts file not being used? ... > I have a couple of applications that rely upon the hosts ... > made a registry change. ... (microsoft.public.win2000.dns)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.inetexplorer.ie6.browser  > 2005-11