# Blocking websites either by IP or Domain with Group Policy / IPSEC (not host file)



## fanny pack 2.0 (Sep 18, 2007)

Ok, so I have been searching google for an easy walk through on how to block sites such as MySpace, Youtube, Facebook and other related sites where my father's employees like to waste company time on. **HOWEVER** After reading, blocking sites through IE's block list and adding domains with IP's seem to have easy work arounds compared to IPSEC/Group Policy.

This route allows for all of xxxxx.myspace.com's (subnets) from being accessed as apposed to finding them all out and entering the domain/subnet combos individually in the host file. So if ANYONE has seen a very easy walkthrough (cause the ones i have seen are win 2000 and/or are vague and more complicated than required, I would greatly appreciate it.

I am going to continue to search the web, and if I find something i'll post just in case this topic benefits others. I'm determined to solve this issue!!!

Take Care!
FP2


----------



## pinntech (Aug 26, 2004)

Hi!!

How big is the company? If the company is big enough, you may want to have a look at getting a device such as Barracuda Networks Web Filter. Allows for reporting on sites visited, attempted visits and so forth along with controlling what sites can be accessed and even "allow" certain IP's to access restricted sites too.

Here is a link!

http://www.barracudanetworks.com/ns/products/web-filter-overview.php

Thanks!

Shane


----------



## Broni (Dec 1, 2007)

You can also simply use a router. Most of routers will allow you to block/allow certain addresses, block/allow IPs, or range of IPs.


----------



## fanny pack 2.0 (Sep 18, 2007)

Well it's not for our larger company, it's for a salon that my father just purchased. Right now everything is running off of a dinky Dell router coming off a DSL connect so that can't really be programmed. There will be 4 computer in the salon, the only 2 that I want restrictions on are the ones running the scheduling and client database (the 2 receptionists computers basically) So programming a block on Myspace and all that other good stuff for the 2 public computers is not disirable.

I want to strictly use what comes with XP, i'm not looking to invest into a software. I might settle for a freeware if the link you had is such. But I would definately prefer the inhouse abilities that Win XP provides. I've went ahead and did the host adjustments and through myspace with all it's subnets into the the block list. Now I am making it harder for them to download things. 

Anyways, IPSec seems to be pretty difficult being that I know most basics but am not a network tech. Any other suggestions?


----------



## pinntech (Aug 26, 2004)

I just stumbled onto this and have not had a chance to REALLY have a look at it. However, if may or may not be something for you. It's free too. I have downloaded and will be installing it on a test PC I have here to see what all you can do with it.

It's Microsoft Steady State.....

http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

Thanks!

Shane


----------



## fanny pack 2.0 (Sep 18, 2007)

Nice find Shane! I just watched the video of it, I think i'll download and take a look at the features. I'll let you know if I can figure anything out. Take care!

FP2


----------



## fanny pack 2.0 (Sep 18, 2007)

It turned to be just a user friendly version of the Group Policy and didn't really incorporate IPSec. I keep running into walk throughs but there always seems to be a step on how to do one small thing missing or unclear making the final result useless.

It's getting aggrevating, i've moved on to other tasks to keep the receptionists from screwing this computer up when we set it up on Monday. I was thinking about disabling any kind of download through IE. Is there someway I can do that as well? And would that effect recieving files through outlook?


----------



## pinntech (Aug 26, 2004)

I&#8217;m not really sure how you were intending to use IPSEC to &#8220;prohibit&#8221; site visits.

IPSec is designed to provide authentication (verification of the identity of the sender), integrity (assurance that the data was not changed in transit) and confidentiality (encryption of the data so that it can&#8217;t be read by anyone who doesn&#8217;t have the correct key).

Because it operates at the network layer of the OSI model (Layer 3), IPSec has an advantage over SSL and other methods that operate at higher layers. Applications must be written to be aware of and use SSL, while applications can be used with IPSec without being written to be aware of it. Thus encryption occurs transparently to the upper layers.

IPSec protects only IP-based traffic; it is of no use to other network layer protocols such as IPX. There are also some types of IP traffic (such as Kerberos) that are not protected by Microsoft&#8217;s implementation of IPSec by default. Microsoft calls these exemptions.

Group policy would be your BEST place to start if you are not looking for a PROXY, ISA, or a device to filter traffic with. You&#8217;ll need Group Policy to keep them from modifying their internet and NIC settings, amongst a zillion other things.

Care to point me to the references for using IPSEC to block users from visiting websites?

Thanks!

Shane


----------



## fanny pack 2.0 (Sep 18, 2007)

Here's the forum I saw this on

http://www.softwaretipsandtricks.com/forum/internet/30191-how-block-websites.html

Go down to psharkauburn's post where he talks about using whois.org to identify sites's IP's. But I had also experimented with IPSec and was able to see all the IP's that myspace's domain used. However, it found all of this but did not give you the option of making that permission an allow or deny like GP would.

Microsoft's explaination seemed to skip that step out as well. We put in that computer today and I have myspace blocked off with the host file and IE's site block list. I'm just going to keep an eye on what everyone is visiting and if I see activity i'll just explain to the staff that their myspace behaviors cause our computers hell (i've seen it, friggin trojans straight off myspace messages through links)

If you want to keep working with me on this I got all the time in the world. I can't seem to find Microsoft's walkthrough for it. The link was on that computer but I can't get to it until later in the week.

But all said, I appreciate the feedback and help. Thanks alot!
FP2


----------



## pinntech (Aug 26, 2004)

Thanks! Very interesting and I don't blame you for being lost since it doesn't really provide instructions, but just general information. I'll have to look into it and see how many YEARS it would take to implement.


----------



## pinntech (Aug 26, 2004)

This may be of some additional help.... not sure, I have not read it completely yet!

http://homepages.wmich.edu/~mchugha/w2kfirewall.htm

Thanks!

Shane


----------

