Results 1 to 8 of 8

Thread: LAN Proxy settings

  1. #1

    LAN Proxy settings

    Guyz Little help needed in my LAN we are using IWSS for content filtering so we have set the Proxy Server Setting in IE 6 settings but the catch is that if the LAN users came to know about these settings they can easily uncheck that option to bypass IWSS's Content Filtering. My question is that is there any way to restrict these users from changing their browser's Proxy Settings (like...gpedit.msc etc) so that they all are forced to send their request to our IWSS Proxy Server first.Yup forget to mention they all are in a DOMAIN and usin Win XP Prof.

    bat21
    GOD BLESS YOU

  2. #2
    We use the exact same type of system as you described but it's using SCM from Computer Associates. The goal is to keep our users proxying through the device so we can filter their internet for productive uses. If they manage to uncheck proxy or change it elsewhere we would have no internet filter.

    Yes you can make windows settings all greyed out, the exact location of the setting eludes me though you'll probably have to look it up. We also have our machines check that policy every 30 minutes with the AD in the event of a user "accidentially" unchecking it. Lastly we don't allow any traffic from our different subnets that isn't generated from our proxy servers or other allowed addresses, I do this at my hardware firewall so if a user attempts to uncheck the proxy and do as they wish on the internet they're not going outside of the network.

    Thanks for the blessing too.... everyone can use some more of that.
    "Experience is the hardest teacher, it gives the test first and the lesson after." Anonymous

  3. #3
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    Here is a link to one way to do it using the IE administration kit.
    restricting acces to IE fonctions
    You can also restrict their access using the security policys. I am not on a windows machin at the moment but will post the information when i find it.
    Other than that It is always better to do as the captain says and also block the traffic if it doesnt come through the proxy.
    Found this one also just before i posted looks more like what you want.

    policy settings
    I am sure you can apply the same policys on the domain policy editor.

    hope this helps.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    First off all make sure your users CANNOT acces the internet directly, they should only be allowed to connect to the proxy. A few firewall rules should do that trick.. Second, use group policies to fix the proxy settings and turn off the connection tab in IE's option menu. Third, make sure your users only get "regular" user accounts..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    it is important that they cannot download 3rd party software

    w/ tools they would be able to bypass

    netcat, firfox, tor
    UNIX IS user friendly, it\'s just very choosy about who it calls a friend.

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If you use a proxy-server with a descent content scanner then those things aren't possible..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    I agree with sirdice... when my organization rolled our setup out about a month ago we had to consider any device that is not allowed to send traffic directly to the internet has to be completely stopped at our firewall. If you do this then I don't care what kind of tool they use at their machine they're not getting out... No traffic generated from their machine can. They can maybe spoof their IP addresses, but that would require knowing the IP addresses that are allowed and then using one that is already used creating another kind of problem.

    When I was presented the problem I said lets just stop the traffic at the firewall and not even stop them from changing their proxy. If they choose to mess it up for themselves let em, but that was quickly shot down. The two part solution works great though... stop them from changing their proxy, but if they manage to it doesn't matter because of firewall.
    "Experience is the hardest teacher, it gives the test first and the lesson after." Anonymous

  8. #8
    you leave any port open they will tunnel through it ... especially if you have http access
    UNIX IS user friendly, it\'s just very choosy about who it calls a friend.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •