Windows Block Access To Internet Explorer

My parents own a hotel. The office in the hotel has a PC in it (Win XP). Now, we're gettin broadband soon thanks to a grant from the government, but this poses a problem. The PC in the office is accessible to the staff (to create menu's access emails etc). We need to be able to block access to "the internet" while being able to send/recieve emails. IIRC they use Outlook Express to access emails.

 

Err...Why? Wouldn't the staff benefit from internet access?

 

One way is to rename and hide the IE files as here, but that only disables IE.

Another way (I think) is to point all urls to a black hole, a super Ad-Blocker, with the Hosts file. This would stop somebody plugging a Firefoxxed flash drive into the USB port, but fairly easy to get round.

Neater version here.

 

Block port 80 using a firewall

Then lock down the firewall so that only your login has Admin access. I would be surprised if that didn't do it, although maybe I'm missing some basic thing(I am really stupid)

 

Disable everything but SMTP connections with a bitchin' firewall? That's all I can think of that's practical other than cpemma's suggestion(s).

 

Surely POP3 would need to be allowed too, since they need to recieve email as well, or maybe i've misunderstood what POP3 is.

But disabling port 80 would be my suggestion, so long as they weren't smart enough to route HTTP through another port(if tahts even possible) or SSH out to another computer then I don't think you'd have much bother.

 

Blocking port 80 is the best way to disable web browsing, however they will still be able to use AIM, IRC or anything else that doesn't use port 80. You can manually add all those ports too, or you can try blocking everything but smtp/pop ports.

 

Novell makes software that can block such things like browsers and all, well for the price you pay it should! My high school used it and I couldn't get netscape to work as a seperate browser

 

1. get a firewall

2. open port 110 and port 25 for TCP access, then open port 53 for UDP access

3. close everything else.

tht basicly allows pop3 (receiving email), smtp (sending email) and dns (looking for your email server).

thats about as tight as its going to get.

the trick is, you need a firewall that only the administrator can access. off the top of my head, you can use windows firewall, if you set it on an administrator account, then set up email on a non-administrator account.

<edit>

actually, now i come to think of it, there is another way.

remove the DNS ip addies in your network adaptor settings. your machine instantly becomes unable to resolve any url's cause it loses its dns capability. then you can just manually add the ip/host of your email servers into your hosts file. that way, windows allready knows the ip/host of your mail server and cant find anything else on the internet. you should be able to do it from an administrative account, then use email on a non-administrative account.


anyways, im off back to bed, i got the flu.
</edit>

 

An easy way would to just buy Norton Internet Security (Since its for a business, you can afford it!) and then when it asks if it should allow access to the internet for these programs (IE, AIM, yahoo) simply click no, and password protect the program. Alot more simple than blocking the port and the like.

 

Not really. Blocking ports is a proverbial piece of urine, even windows firewall can do it. Norton corporate would be a way of doing it, but you're as well to do it just by blocking port 80 in any old firewall. Its an extremely simple operation.

 

Yeha, it kinda needs to be simple to do and undo cause the PC is ~5 hours away from me, and I foresee that they may actually want to use the internet for business related things every so often.

 

Thats a problem. If they know how to change it and you're 5 hours away you can guarentee they'll keep it that way once they know how. Maybe an idea would be to set up remote desktop(VNC) or something so when they need access they can email you a request and you can let them online.

 

Yeha, i was just hoping there was some program that puts a password on certain programs so only the manager can use it and grant access to people when she allows it.

 

Not that this is a suggestion, but by default Windows 2003 won't let you browse outside of your own computer. took me a while to figure that out when i first installed it.

 

Have you got a router?

I think some routers allow access to the config page from the WAN. So basically you could block port 80 (Using the router's firewall which would be pretty solid), but if internet access was needed, you could tap into it from a remote location to enable it. Then all you'd need to do would be to lock the router in a cabinet or something to prevent one of your pesky workers from hard-resetting it.

Or you could be a cool boss and just let them use the internet. A happy worker is a good worker etc

 

I say unplug the network cord and buy them a couple rolls of stamps.

Seriously though, I agree with the firewall idea, or the changed hosts file. They'd have to be pretty damn computer literate to figure those out.