How to disable internet for one user acct

[Appleby]

Here is the situation...I do charity work for a local non-profit that I was a part of for a long time. They have a laptop in their "community" office that anyone can access. Some of the people who work there use it on break time to check Facebook, email, goof off etc. They have had repeated virus infections, to the tune of about 1 every 2-3 weeks. This is getting old for and for them.

They have asked that I password protect their main user account where the 2-3 senior people do the Quickbooks, reports etc. They would also like a secondary account that the other employees can use to do reporting and paper work but they do NOT want it to have internet access. This will prevent the repeated virus infections. Pretty smart idea.

I can think of some "dirty" ways to do this but I'm curious if there are some better ways. I could go in and disable the network adapters and even use the proxy server trick in IE that many viruses use to disable internet access, but not only is this pretty lame, someone with some knowledge could figure both of those out and re-enable internet access.

This is a Dell laptop running XP Home SP3. Any better ideas on how I could do this for the one user account? Oh and due to one of the reporting software apps the other employees are using, they said that secondary acct. does need to be an Administrator account, rather than a limited user.

Thoughts?

 

[vdub12]

Here is the situation...I do charity work for a local non-profit that I was a part of for a long time. They have a laptop in their "community" office that anyone can access. Some of the people who work there use it on break time to check Facebook, email, goof off etc. They have had repeated virus infections, to the tune of about 1 every 2-3 weeks. This is getting old for and for them.

They have asked that I password protect their main user account where the 2-3 senior people do the Quickbooks, reports etc. They would also like a secondary account that the other employees can use to do reporting and paper work but they do NOT want it to have internet access. This will prevent the repeated virus infections. Pretty smart idea.

I can think of some "dirty" ways to do this but I'm curious if there are some better ways. I could go in and disable the network adapters and even use the proxy server trick in IE that many viruses use to disable internet access, but not only is this pretty lame, someone with some knowledge could figure both of those out and re-enable internet access.

This is a Dell laptop running XP Home SP3. Any better ideas on how I could do this for the one user account? Oh and due to one of the reporting software apps the other employees are using, they said that secondary acct. does need to be an Administrator account, rather than a limited user.

Thoughts?

If you set an IE proxy to local and make the account limited it does not mater what knowledge they have they will not be able to change it. At least I don't think they will be able to.

You could also write an autoit script that runs every 30 seconds that resets the proxy on that account. So even if they change it whey will only have 30 seconds of Internet access.

 

[Appleby]

Hmm, that is a good idea.....thanks for the advice.

I really don't think the users are going to go to the trouble of trying to figure it out because once they are told they can't access the net but they can bring their own pc's and use the wifi connection I think most will be fine. I also don't think any of them are smart enough to even know where to look to figure it out.

 

[DanF]

There's a simple way to block the usage of Internet Explorer, or any other executable file, from being executed.

All you need to do is go to the Local Security Policy in the Administration Tools and add a Software Exception (browse for iexplore.exe) and add it as disallowed. Done this multiple times for clients who have very young children and do not want them to use the internet.

 

[commentator8]

Had to do something similar recently. My opinion is it would be best to make them a limited user and kill the net with the proxy settings (as mentioned limited users cant change this, although firefox has its own settings so will need to be blocked) etc, as well as blocking iexplorer firefox and the like. Due to their need for admin privileges you can use this (or similar) to allow the specific programs to run with admin privileges - it encrypts the password so its safe.

If they really want protection against reinfection it might be worth looking at steadystate or the like.

edit: i can't recall if home lets you play with local security policy.

 

[Ryder]

... have you considered a DNS solution like opendns.com it's standard features may help.

 

[commentator8]

Don't think that will work. Recall trying that once and finding that the free version at least didn't offer that. That and in a admin account it is simple to circumvent opendns by manually configuring the tcp/ip dns to google's dns.

 

[RedFoxComp]

Don't think that will work. Recall trying that once and finding that the free version at least didn't offer that. That and in a admin account it is simple to circumvent opendns by manually configuring the tcp/ip dns to google's dns.

OpensDNS combined with a Tomato or DD-WRT equipped router is brilliant. Set up OPENDNS on the router and have it intercept all DNS traffic so people can't circumvent it on individual computers. Block porn, proxy websites, facebook, youtube, twitter etc. Free accounts work fine.

Set up a limited account so they can't install anything on it.

 

[Paul Rodgers]

You could install Deep Freeze. But that may also cause more headaches.

I actually did something for one user that only allowed 3 sites to come up through the ie security settings. Password protected too.