how to block ONLY web access

How can I block a specific user from using the browser on a specific machine? I'd like to leave all the other services intact (ftp, telnet, etc...). The accounts in my network are not "cached localy" they are all authenticated at the PDC. I'd like to block the user remotely (from PDC, not locally) The clients are NT serv.pack 6 and the PDC is Win2k2000server. However I do not want this particular user tunneling http trafic through another port (netcat or something) w/ the help of another (remote) machine. The user has a valid company account and he can install things. Is windows running TCPIP natively in this case??? If so then simple port block will not suffice.... What are my options?


(tired and hungry linux sysadmin)

can you give us a reason why you want to do that ....

and just a reminder ... he can use Telnet to browse the Internet in only Text-based view like i do .. when i dont have access to sites or something i use telnet to connect to cyberspace.org via tlnet and login with my account .... they have an text based browser there :)

the guys is surfing on company time --- way to much...

One way would be to install personal firewalls on each computer and block access to all browsers on the computer. Another way would be to upgrade the PDC to Windows 2003 and use it to block access to browsers on the whole domain.
Cheers,
cgkanchi

Any standard rule based filtering firewall should be able to meet your needs, _if_ I am understanding your question:

"How can a stop a particular client from browsing the web, without interfering with anything else?"

something like:
block outgoing from client where protocol=tcp from any to port 80/443/8000/8080

You can block either requests or responses depending on your needs. It is likely to be better to work this on a default deny stance and only allow specific services to the client as this can be meshed with other things For example if the organization has a proxying firewall like TIS-FWTK (or newer commercial versions) to ensure that no http/https data is going to the client in question. The client can respond a wide variety of means, eg custom tunnels, etc... and if high assurence is required it maybe wise to install pc-anywhere/vnc on the client and add a warning logon message that the system is monitored by the IT administration folk, and then set an irregular schedule for spot monitoring, or when alarmed by atypical encrypted data.

catch

i guess the first thing i need to know is how, exactly can i do this in windows 2000 server. were are the options located (registry or control panel) then i need to know how exactly does windows block the access.. is it *nix like.. just blocking the 80 and related ports or does it mess w/ netbios

the user can only use one system... not by software limitations but because of the physical location so therefore firewall on all systems is not an option.

well if you are working with routers you could set up an ACL to block outgoing traffic from the persons ip address for whatever ports you need

this is exactly why windows needs something similiar to iptables. i once heard of a firewall called iptables for windows but i only found one broken link to it on google.

u don't need a firewall on all the system! u just need a filter between your cie and the internet.
u have several puters and I guess have a router smwh.

u know what?
mainly all routers implement basic firewalling features (CISCO call that ACL).

if u want to restrict the access for one guy create a specific rule (/32) to restrict outbound flows with HTTP, HTTPS, FTP, Telnet related tcp port.

Doing that the guy will still be able to browse the intranet if u have one, but not browsing the web.
Be aware that single user specific firewalling rules are not optimized & should only for exceptions.

Hope it helps ...

One other thing you can do is block outgoing access to port 80 using your firewall (dunno if W2K can do it without help from an external program). That should keep users from surfing most sites.
Cheers,
cgkanchi

EDIT : You might also want to consider blocking port 8080. That'll get out most of the sites that don't use port 80