Disable Web Browsing??

design@divergentweb.com · #1 (**permalink**) 10-21-2003, 05:15 PM

This is a bit odd to ask in a web development forum, but I have a client who wants to disable browsing in their offices, and I suspect newgroups, too. They want to allows employees to get email from their website, and have no access to browse.

The first option I came up with was to uninstall all browsers from their machines - but its to easy to install a new one.

My next thought would be to use a router with a built-in firewall to close all non-email ports (like those used for browsers & newsgroups). Can this be done?

Or, is there a simpler way to disable browsing & newsgroup ports without a firewall/router?

Last item is to assume a Windows PC, 98 thorugh XP Home, no XP Pro, No NT machines (which I can't work with well anyway).

ojo4max · #2 (**permalink**) 10-22-2003, 10:04 AM

We are using our firewall options to block certain websites but you can easyly set it up to block all websites. Removing all browsers should work too as they would need a browser to download other browsers. They are ways to download browsers directly but it is beyond most people's knowledge. Of course, we are using Windows 2000 which gives you a bunch of permission options that you won't have with 98. HTH.

radelster · #3 (**permalink**) 10-22-2003, 10:04 AM

Although I am not sure of the method, I know there is a way to turn off all external access to websites, and then have a table of sites that ARE allowed. I tried to get them to do that at my company, but they said it would be too much overhead and easier to give everyone full access to everything. Then they complain when folks are surfing!!

maniactive · #4 (**permalink**) 10-22-2003, 10:14 AM

Bigger question: Why would anyone want to be employed by this company? It smacks of "lack of trust in the discretion of the employee" -- an oppressive atmosphere, to be sure. And if the employees ARE surfing unreasonably, it must be because they haven't anything better to do, which is a sure sign that the company is a loser. Also, it appears that management can't find anything better to do than to waste time and money limiting people's access to vital information.

Why doesn't the company work on policies/programs that develop an environment of trust between employees and owner/managers?

Might be a better use of everyone's time, and just might turn the company around.

outkast · #5 (**permalink**) 10-22-2003, 10:26 AM

Very assumptive arent we?

Brian Bennett · #6 (**permalink**) 10-22-2003, 10:55 AM

I went thru this at a previous company and definitely found it to be a pain. It's not a matter of whether to work there or not, it's that the 'client' wants it and employees invariably spend too much time on the internet. Some abuse it because it is a faster connection than home. Anyway, in software firewalls, such as WinProxy by Ositis, you can choose to allow or disallow sites, and use blacklists & whitelists for a more comprehensive selection process. Also, remember you can 'surf' from anywhere in Windows that has an address bar, including desktop folders, Explorer, and Outlook. Since it also records all interaction thru the firewall, you can create a policy for the client warning the users that their actions are being watched. Sometimes users are just like children and have to be sent to timeout!

mtheory · #7 (**permalink**) 10-22-2003, 12:48 PM

Quote:

Originally Posted by maniactive

Bigger question: Why would anyone want to be employed by this company? It smacks of "lack of trust in the discretion of the employee" -- an oppressive atmosphere, to be sure. And if the employees ARE surfing unreasonably, it must be because they haven't anything better to do, which is a sure sign that the company is a loser. Also, it appears that management can't find anything better to do than to waste time and money limiting people's access to vital information.

I don't think it is a matter of trust.

Put a television in the office. Will it be a distraction and hinder productivity. Very Likely.

If web surfing is not part of the job then the employee has no right to expect a browser be installed on their work station.

jestersi · #8 (**permalink**) 10-22-2003, 12:58 PM

a hardware firewall or a linux box with 2 network cards . Then disable outbound connections on port 80 for browsers. But there are free proxy's out there so that's a pain. Perhaps disable all connectivity except connections to e-mail and other services. Then you have your locked down network :) It'll be more secure to.

Rhys · #9 (**permalink**) 10-22-2003, 08:12 PM

Although I realize there are people who abuse company time by surfing, there are also people who abuse company time in many other ways. Is the problem really web access or the company's culture? Is the boss taking a three hour lunch on the golf course any less a waste of company time than an employee surfing the net?

Personally I would have to agree with maniactive - I graduated from high school a LONG time ago and expect to be treated as an adult. I simply couldn't stand to work for that kind of a company - if they don't trust me they shouldn't hire me, or should fire me. The few times I've been forced to work under "Mickey Mouse" conditions, I've found myself spending quite a lot of company time figuring out ways to defeat their restrictions, just to get even.

design@divergentweb.com · #10 (**permalink**) 10-22-2003, 10:02 PM

While I respect opinions, I seek facts here. Out of respect for those who may have useful information and strong opinoins on this issue:

1) I'm sure the employees and potential employees realize that if they want to surf the net at work, they should work elsewhere. I'm equally as sure that if they do not intend to surf, they will not mind having the functionality on **their employer's computer** blocked that allows only surfing.

2) While email is required to fulfill these folks job, surfing websites is not required and is not allowed. I see no reason anyone should have to pay to manage an activity that is prohibited should there be a simple remedy that disables it.

=====================================
Rhys and maniactive just because I'm in an odd mood tonight I've addressed your comments at http://www.webproworld.com/viewtopic.php?p=34066#34066 and look forward to reading any responses.

minstrel · #11 (**permalink**) 10-22-2003, 10:51 PM

Quote:

Originally Posted by design@divergentweb.com

While I respect opinions, I seek facts here.

Rhys and maniactive just because I'm in an odd mood tonight I've addressed your comments at http://www.webproworld.com/viewtopic.php?p=34066#34066 and look forward to reading any responses.

Wow! Well done, divergent! I've been following this thread and I do agree with most of what maniactive and Rhys have said about employers who want to police employees as if they were untrustworthy children. On the other hand, I've also understood that your question was not "should the employer do it?" but "how can the employer do it?". Taking the first question to its own thread was a masterful way of getting back to the second one. :-)

Now, methinks I shall take myself to that other thread... :-)

matauri · #12 (**permalink**) 10-23-2003, 04:33 AM

Quote:

Originally Posted by divergent

They want to allows employees to get email from their website, and have no access to browse.

From the tone you have written your original post, I take it that 'their' website is not intranet? That employees checking their email would have to be thru the internet? (i.e. they would need a browser) Or are they able to collect mail thru their email program?

By no means am I an expert in this field, but I run 4 computers here on a network with the administrative rights & firewall on my one. Mine previously had Win 2000, now XP Pro, and the downline computers range from unix-Win 98. From there I am able to control all access down the line, be it browser, msn, printer, etc.

If the business hasnt got the right OS or firewalls to control his network, it might be an idea to suggest that they update.

Cindy

carbonize · #13 (**permalink**) 10-23-2003, 06:31 AM

My current employer allows browsing. All the traffic goes through the one server up in Peterborough where they use the Smoothwall firewall for security purposes and as it also has the ability to block certain sites based on url or a list of banned words. It can be stupid though as it blocks my hosts site http://www.web-mania.com and you get told the domain is blocked as it contains pornography.

vfaulkner · #14 (**permalink**) 10-23-2003, 09:36 AM

I used to be a manager for a large book retailer. The system/browsers there were locked down/set up to only allow certain IPs and email addresses within the company, in and out. was annoying when I tried to use my company email from home to send info to my coworkers. I often would have to do some researching at home;I was denied EVERY time.
Their reasoning is that OUR resources are sufficient enough to get any information/item needed, so there no reason to go elsewhere. (NOT TRUE,BTW! Company lost many a customer to competitors with this attitude. )
I am pretty sure that they used a firewall, but when I asked, was evaded.
They also had a type of VNC so the offsite IT could enter into a store's system at will.

Not sure if this helps...

design@divergentweb.com · #15 (**permalink**) 10-23-2003, 11:41 AM

MORE INFO:
This company has satellite offices that (as far as I know) all use dialup. They use email (Outlook Express probably) to communicate with leads from their website and the corporate office. There is no VNC or Intranet.

WHAT I WILL DO
I am thinking of suggesting what jestersi has mentioned since Internet traffic only need allow email (Win98 thru WinXP systems, no 200, NT or XP Pro). I believe the company works with a contracted network professional, so this would mean just setting up the access once, and no IT need monitor/update anything and security is thusly boosted.

Yup, I'll have them contact Ositis about Winproxy. I may get a small job doing the installations and setup.

THANKS
Thanks to all who have taken time to give inoput on this subject!

jestersi · #16 (**permalink**) 10-23-2003, 12:55 PM

If you have any more questions as to wich technologies to use, i would be happy to suggest, winproxy is nice but may be to slow depending on how many machines are in the environment. If there's more than 30 than I would suggest a hardware firewall or even better a Apache based proxy. If proxy is the way you want to go.

design@divergentweb.com · #17 (**permalink**) 10-23-2003, 07:24 PM

Thanks jestersi.

I looked at Ositis' website, and I think the software option mis best. Since they outsource IT/Networking on a per-visit basis I think this is also the least expensive option as I ceetainly am less expensive than those folks, and the product comes with free tech support.

Also, they have several locations most of which I think are comprised of one, maybe two computers.

Peter · #18 (**permalink**) 10-24-2003, 10:56 AM

If you run Windows or any MS application you will find that if you some how manage to remove IE, doing so will cause some usability issues with Windows itself. Help pages, applications will all fail to work correctly.

So best thing to do is get a hardware firewall, set it to block http traffic. This will remove any operating system issues.

Although i find the web so useful I would find it impossible to do my job without it.

design@divergentweb.com · #19 (**permalink**) 10-24-2003, 12:44 PM

Peter, good point, I had actually been thinking of the software proxy and curious employees myself late last night and without your comments I may not have come to the conclusion that I should at least see if my client is open to using some sort of hardware-based firewall (router?) like I do at home. Naturally this would have the added benefit of not only removing HTTP access, but also shutting other unused ports from hackers.

Carbonize, I know what you mean about those "programs" that use black, whitelists, and/or keyword blocking, they can be rather unintelligent. I think that's why I went and ICRA-labeled my site.

IN OTHER NEWS.....

I just called everyone that works in these offices (all 20+ people in 3 states) and guess what? They are afraid of websites.

These workers whose median age is 46 are pre-1990 workers who believe that this "newfangled Internet thingy" to take a quote from one, is an overtly dangerous thing. Several think the Matrix is coming to get them via their PC, so the Internet just intensifies that fear.

Let's stop harassing these poor people. They are already scared enough that their jobs entail getting, writing and sending emails when "...regular mail is perfectly good, and my phone works, too". I am their champion coming to their rescue and I shall close their HTTP connections in the name of security! At the same time I will not burden their employers with any IT overhead, I'll get the job done and that will be that.

I spoke to one today explaining their new work environment, a website-free environment and was told, "Well, I never knew how to even use that Internet viewer [he meant browser] program but now I know I don't have to worry about some hacker using one to take control of my coffee pot or microwave. Thanks!" Another simply said "Thank you, thank you." Although I live my life on the Internet, I do not mind shielding those who are wary of its dangers from being subjected to it.