Denying internet access

[Milenko]

OK, here's the situation:

I have on my network a server who i'll call serv1 for now. serv1 is an NT primary domain controller for the entire network. Serv1 also has Microsoft prosy server 2.0 installed and is serving internet access for the whole network.

On the other side of the building we have an electronics classroom with about 25 machines in it. The problem that I need help with is figuring out how to allow those machines on the network without allowing them internet access.

I can't do it via user permissions cause the kids that go through there also use machines in other labs where they legitimatly need the internet. I can't do it with security software or anything like that becuase in that class the kids learn how to reinstall windows, take systems apart, etc.

The only thing I've come up with so far is to setup a linux box between that lab and the rest of the network. I know Linux does routing and all that junk, as I've used it before to serv internet connections, but I've never used it for anything like this before. I could then setup Linux to not allow connections to serv1 on port 80 (where the proxy listens). This should allow them to authenticate and do anything else on serv1, but not allow proxy connections. I don't see why it wouldn't work, but I wanted to see what you guys and gals came up with first.

The network is all 10/100 mbit and the only protocol in place is TCP/IP. Thanks a lot guys!!!

[shadow1]

Try a third party software like surf control. I use this on the network to limit or even disable access.

[Higg]

Have a look on serv1 with the command "netstat -an" and watch which connections are used (established connects to the students) and to which port the server is listening... could it be your proxy uses a different port than 80?

[Milenko]

I know for sure that the proxy uses port 80. I'm just looking for some opinions on whether or not this will work. I haven't actually tried it yet.

Shadow, I can't use any software methods like that because I'm only doing this to part of the network, not the whole, and I can't put software on the machines, cause the users would just uninstall it, or it would be destroyed when they reinstall the OS.

[SubZero]

I'd say don't install the proxy client on the machines, then put a system policy that locks them outta the control panels.

[Milenko]

Sheriff Q, that'll work great until they reformat the machines, and then they can do whatever they please. Plus, they don't need the proxy client to surf the net, you only need that for proggies that you can't custom configure.

[SubZero]

Hmmm..by reformat, you mean resetting the configuration on the internet control panel to allow them access right? or do you mean reformat the machine?

Lemme check the permission settings on the proxy server here, and see what I can come up with. I'm thinking you can deny the IP addresses of the machines access to the proxy, but I'll check and be sure.

[Milenko]

By reformat I mean reformat the hard drive and reinstall windows. This is an electronics lab where they learn to work on machines and junk.

I can't use the IP addresses as a basis cause I use DHCP on the network, and I'm sure the kids would figure that out anyways. All they'd have to do is choose an IP from a different range, and they'd be on.

[techleet]

You could always do it the ghetto-fabulous way: Setup their browser to point to a proxy server that doesn't exist hahaha <IMG SRC="smilies/biggrin.gif" border="0"> <IMG SRC="smilies/biggrin.gif" border="0">

[condor]

is your proxy transparent or you need to setup your browser proxy address ?

if you do just remove the proxy address from tose computers and lock the internet properties with policies.


another option (more complicated)

set the classroom as a VLAN - deny the classroom Vlan access on the proxy server.
if you have msanaged switches that support Vlans it's easy - if not stick to option 1.

Hope it helps..