How can I
block a Windows 2000/XP/2003 computer
from surfing on the Internet but still
allow it to surf to Intranet sites?
As written
in the previous article - Block Web
Browsing with IPSec, Windows
2000/XP/2003 machines have a built-in IP
security mechanism called IPSec (IP
Security). IPSec is a protocol that’s
designed to protect individual TCP/IP
packets traveling across your network by
using public key encryption. Besides
encryption, IPSec will also let you
protect and configure your
server/workstation with a firewall-like
mechanism.
How can
you block specific users from surfing
the Internet but still allow them to use
a web browser to surf to internal
(Intranet) sites? Right! With IPSec.
You can do
so simply by creating a policy element
that will tell the computer to block all
the specific IP traffic that uses HTTP
and HTTPS, which use TCP ports 80 and
443 respectively as their destination
ports. By blocking this specific traffic
you will be able to stop a specific
computer from browsing the Internet.
But wait! Blocking all
HTTP and HTTPS traffic will also prevent
the user from surfing to internal sites.
The solution is to add
another policy element that will in fact
ALLOW HTTP and HTTPS traffic but only to
a specific computer's IP address, a
specific computer's DNS name, or an
entire subnet of computers.
You can
configure this policy specifically for
one computer by manipulating that
computers' IPSec policy, or, even
better, you can configure the policy as
a Group Policy Object (GPO) on a
specific Site, Domain or Organization
Unit (OU). In order to configure a GPO
you must have Active Directory in place. |