Restricting system-wide access to all websites outside of a specified list

[Please support Stackprinter with a donation]

[0] [1] Mark Tomlin

[2009-11-03 02:03:37]

[ windows-xp networking ]

[ https://superuser.com/questions/64755/restricting-system-wide-access-to-all-websites-outside-of-a-specified-list ]

I want to restrict access to all websites outside of a list of allowed domains. (localhost, superuser.com, stackoverflow.com, etc.) I would like this to be applied system-wide and to be browser agnostic.

How do I set this up?

[+1] [2009-11-03 02:10:26] nik [

ACCEPTED]

These things can be done,

Setup the firewall to restrict to you domain list for outbound connections
- this will prevent all outbound communications the restricted set
  besides the usual inbound restrictions that a firewall is usually configured for
- Check your router/modem for filter support
- the same firewall trick, but at the network device rather than the machine
  this is sometimes more effective
- Use OpenDNS filtering capabilities
- I could not quickly lookup a scheme to allow a set
  Though, there are ways to block specific sets
- If you have a set of machines in your network that needs this control,
  a proxy (like Squid ^[1]) could also be setup for filtering access.
  This would be more effort (another squid running machine required in the path)
  The overhead will be amortized if you have several machines to control.

HowToGeek OpenDNS reference ^[2].

HowToForge Squid Proxy Server On Ubuntu 9.04 Server ^[3]
with DansGuardian, ClamAV, And WPAD (Proxy Auto-Detection).

Update:

A host-based firewall should work.
Unfortunately, the Windows XP firewall does not support outbound filtering ^[4].

The firewall software in Windows XP was simple and rudimentary and protected incoming traffic only, blocking any inbound connections that had not been initiated by your computer - and it was turned off by default. Service Pack 2 turned it on by default and made it possible for administrators to enable it via Group Policy.

But, other firewalls will probably allow you to control outbound connections.
Typically, I have seen application based control (rather than port or domain based) in Windows based firewall tools. However, there may be other forms (here is a quick reference to some Windows free and trial firewall apps ^[5]). Others may have more information on this.

If the users do not need administrative rights,
setting up that way will not allow them to change your configurations.
Any third-party application will probably also prohibit configuration changes by non admin users.

[1] http://www.squid-cache.org
[2] http://blogs.howtogeek.com/mysticgeek/2008/08/07/protect-your-kids-online-with-any-os-using-open-dns/
[3] http://www.howtoforge.com/squid-proxy-server-on-ubuntu-9.04-server-with-dansguardian-clamav-and-wpad-proxy-auto-detection
[4] http://www.windowsecurity.com/articles/Whats-new-Windows-7-Firewall.html
[5] http://www.dkszone.net/2009/10/best-free-firewall-software-windows.html

Here comes the interesting part, the computers are laptops, and are going to be used on not only my local network, but also on other public networks. The idea being that the Admin sets' the restrictions, and the user abides by those restrictions. - Mark Tomlin

It would be nice is the windows firewall could be setup to do this or a 3rd party firewall that I can hide within the svchost.exe processes. Also the firewall it's self must not be editable by the plain user account, only by the admin account. But I think making it's processes apart of svchost would take care of that. - Mark Tomlin

Sorry, I can't give you the up vote, but your edit is accepted as the answer. Thank you. I'll look more deeply into the subject via the links you've provided. - Mark Tomlin