This is a bit odd to ask in a web development forum, but I have a client who wants to disable browsing in their offices, and I suspect newgroups, too. They want to allows employees to get email from their website, and have no access to browse.

The first option I came up with was to uninstall all browsers from their machines - but its to easy to install a new one.

My next thought would be to use a router with a built-in firewall to close all non-email ports (like those used for browsers & newsgroups). Can this be done?

Or, is there a simpler way to disable browsing & newsgroup ports without a firewall/router?

Last item is to assume a Windows PC, 98 thorugh XP Home, no XP Pro, No NT machines (which I can't work with well anyway).

We are using our firewall options to block certain websites but you can easyly set it up to block all websites. Removing all browsers should work too as they would need a browser to download other browsers. They are ways to download browsers directly but it is beyond most people's knowledge. Of course, we are using Windows 2000 which gives you a bunch of permission options that you won't have with 98. HTH.

Although I am not sure of the method, I know there is a way to turn off all external access to websites, and then have a table of sites that ARE allowed. I tried to get them to do that at my company, but they said it would be too much overhead and easier to give everyone full access to everything. Then they complain when folks are surfing!!

Bigger question: Why would anyone want to be employed by this company? It smacks of "lack of trust in the discretion of the employee" -- an oppressive atmosphere, to be sure. And if the employees ARE surfing unreasonably, it must be because they haven't anything better to do, which is a sure sign that the company is a loser. Also, it appears that management can't find anything better to do than to waste time and money limiting people's access to vital information.

Why doesn't the company work on policies/programs that develop an environment of trust between employees and owner/managers?

Might be a better use of everyone's time, and just might turn the company around.

Very assumptive arent we?

I went thru this at a previous company and definitely found it to be a pain. It's not a matter of whether to work there or not, it's that the 'client' wants it and employees invariably spend too much time on the internet. Some abuse it because it is a faster connection than home. Anyway, in software firewalls, such as WinProxy by Ositis, you can choose to allow or disallow sites, and use blacklists & whitelists for a more comprehensive selection process. Also, remember you can 'surf' from anywhere in Windows that has an address bar, including desktop folders, Explorer, and Outlook. Since it also records all interaction thru the firewall, you can create a policy for the client warning the users that their actions are being watched. Sometimes users are just like children and have to be sent to timeout!

Bigger question: Why would anyone want to be employed by this company? It smacks of "lack of trust in the discretion of the employee" -- an oppressive atmosphere, to be sure. And if the employees ARE surfing unreasonably, it must be because they haven't anything better to do, which is a sure sign that the company is a loser. Also, it appears that management can't find anything better to do than to waste time and money limiting people's access to vital information.


I don't think it is a matter of trust.

Put a television in the office. Will it be a distraction and hinder productivity. Very Likely.

If web surfing is not part of the job then the employee has no right to expect a browser be installed on their work station.

a hardware firewall or a linux box with 2 network cards . Then disable outbound connections on port 80 for browsers. But there are free proxy's out there so that's a pain. Perhaps disable all connectivity except connections to e-mail and other services. Then you have your locked down network :) It'll be more secure to.

Although I realize there are people who abuse company time by surfing, there are also people who abuse company time in many other ways. Is the problem really web access or the company's culture? Is the boss taking a three hour lunch on the golf course any less a waste of company time than an employee surfing the net?

Personally I would have to agree with maniactive - I graduated from high school a LONG time ago and expect to be treated as an adult. I simply couldn't stand to work for that kind of a company - if they don't trust me they shouldn't hire me, or should fire me. The few times I've been forced to work under "Mickey Mouse" conditions, I've found myself spending quite a lot of company time figuring out ways to defeat their restrictions, just to get even.

While I respect opinions, I seek facts here. Out of respect for those who may have useful information and strong opinoins on this issue:

1) I'm sure the employees and potential employees realize that if they want to surf the net at work, they should work elsewhere. I'm equally as sure that if they do not intend to surf, they will not mind having the functionality on **their employer's computer** blocked that allows only surfing.

2) While email is required to fulfill these folks job, surfing websites is not required and is not allowed. I see no reason anyone should have to pay to manage an activity that is prohibited should there be a simple remedy that disables it.


=====================================
Rhys and maniactive just because I'm in an odd mood tonight I've addressed your comments at http://www.webproworld.com/viewtopic.php?p=34066#34066 and look forward to reading any responses.

While I respect opinions, I seek facts here.

Rhys and maniactive just because I'm in an odd mood tonight I've addressed your comments at http://www.webproworld.com/viewtopic.php?p=34066#34066 and look forward to reading any responses.

Wow! Well done, divergent! I've been following this thread and I do agree with most of what maniactive and Rhys have said about employers who want to police employees as if they were untrustworthy children. On the other hand, I've also understood that your question was not "should the employer do it?" but "how can the employer do it?". Taking the first question to its own thread was a masterful way of getting back to the second one. :-)

Now, methinks I shall take myself to that other thread... :-)

They want to allows employees to get email from their website, and have no access to browse.

From the tone you have written your original post, I take it that 'their' website is not intranet? That employees checking their email would have to be thru the internet? (i.e. they would need a browser) Or are they able to collect mail thru their email program?

By no means am I an expert in this field, but I run 4 computers here on a network with the administrative rights & firewall on my one. Mine previously had Win 2000, now XP Pro, and the downline computers range from unix-Win 98. From there I am able to control all access down the line, be it browser, msn, printer, etc.

If the business hasnt got the right OS or firewalls to control his network, it might be an idea to suggest that they update.


Cindy

My current employer allows browsing. All the traffic goes through the one server up in Peterborough where they use the Smoothwall firewall for security purposes and as it also has the ability to block certain sites based on url or a list of banned words. It can be stupid though as it blocks my hosts site http://www.web-mania.com and you get told the domain is blocked as it contains pornography.

I used to be a manager for a large book retailer. The system/browsers there were locked down/set up to only allow certain IPs and email addresses within the company, in and out. was annoying when I tried to use my company email from home to send info to my coworkers. I often would have to do some researching at home;I was denied EVERY time.
Their reasoning is that OUR resources are sufficient enough to get any information/item needed, so there no reason to go elsewhere. (NOT TRUE,BTW! Company lost many a customer to competitors with this attitude. )
I am pretty sure that they used a firewall, but when I asked, was evaded.
They also had a type of VNC so the offsite IT could enter into a store's system at will.


Not sure if this helps...

MORE INFO:
This company has satellite offices that (as far as I know) all use dialup. They use email (Outlook Express probably) to communicate with leads from their website and the corporate office. There is no VNC or Intranet.

WHAT I WILL DO
I am thinking of suggesting what jestersi has mentioned since Internet traffic only need allow email (Win98 thru WinXP systems, no 200, NT or XP Pro). I believe the company works with a contracted network professional, so this would mean just setting up the access once, and no IT need monitor/update anything and security is thusly boosted.

Yup, I'll have them contact Ositis about Winproxy. I may get a small job doing the installations and setup.

THANKS
Thanks to all who have taken time to give inoput on this subject!

If you have any more questions as to wich technologies to use, i would be happy to suggest, winproxy is nice but may be to slow depending on how many machines are in the environment. If there's more than 30 than I would suggest a hardware firewall or even better a Apache based proxy. If proxy is the way you want to go.

Thanks jestersi.

I looked at Ositis' website, and I think the software option mis best. Since they outsource IT/Networking on a per-visit basis I think this is also the least expensive option as I ceetainly am less expensive than those folks, and the product comes with free tech support.

Also, they have several locations most of which I think are comprised of one, maybe two computers.

If you run Windows or any MS application you will find that if you some how manage to remove IE, doing so will cause some usability issues with Windows itself. Help pages, applications will all fail to work correctly.

So best thing to do is get a hardware firewall, set it to block http traffic. This will remove any operating system issues.

Although i find the web so useful I would find it impossible to do my job without it.

Peter, good point, I had actually been thinking of the software proxy and curious employees myself late last night and without your comments I may not have come to the conclusion that I should at least see if my client is open to using some sort of hardware-based firewall (router?) like I do at home. Naturally this would have the added benefit of not only removing HTTP access, but also shutting other unused ports from hackers.

Carbonize, I know what you mean about those "programs" that use black, whitelists, and/or keyword blocking, they can be rather unintelligent. I think that's why I went and ICRA-labeled my site.

IN OTHER NEWS.....

I just called everyone that works in these offices (all 20+ people in 3 states) and guess what? They are afraid of websites.

These workers whose median age is 46 are pre-1990 workers who believe that this "newfangled Internet thingy" to take a quote from one, is an overtly dangerous thing. Several think the Matrix is coming to get them via their PC, so the Internet just intensifies that fear.

Let's stop harassing these poor people. They are already scared enough that their jobs entail getting, writing and sending emails when "...regular mail is perfectly good, and my phone works, too". I am their champion coming to their rescue and I shall close their HTTP connections in the name of security! At the same time I will not burden their employers with any IT overhead, I'll get the job done and that will be that.

I spoke to one today explaining their new work environment, a website-free environment and was told, "Well, I never knew how to even use that Internet viewer [he meant browser] program but now I know I don't have to worry about some hacker using one to take control of my coffee pot or microwave. Thanks!" Another simply said "Thank you, thank you." Although I live my life on the Internet, I do not mind shielding those who are wary of its dangers from being subjected to it.

There are a couple of ways to go for firewalls. I've had excellent luck with the D-Link (DI-604 or DFL-80 or DFL-300).For just a couple of dollars ($60 to $200 depending on features you need) you have a hardware firewall that you can easily open up only a few ports or even set it up so that only certain computers have access to browse. The high end way to go is the Astaro linux based firewall which includes virus scan that is updated every night. A LOT more options as to who has access to what and what can be blocked. Keeep in mind that the blaster virus did NOT attach itself to email but directly attacked Windows 2000/XP workstations through port 135. If you only open the ports you need you stop that kind of attack.
I prefer hardware based solutions rather than adding more software to the workstation (more sources of conflicts and why have more things for the user to deal with).
Regarding the issue about `trusting ' the worker it's the old 90/10 rule. 10% OF the employees will cause 90% of the problems. Setting the system up to AVOID problems makes more business sense than chasing the problems after they occur. I've repeatedly had to go in and deal with situations where an employee was addicted to the gambling sites. Just recently had to deal with a child porn problem. One situation an employee FILLED the server with more than 60GB of downloaded music. At this point there have been multimillion dollar judgements against employers for allowing employees to download music. Employers have no choice but to protect themselves. It is the employer's equipment and network and the employer WILL BE held responsible for misuses of it.

Uninstalling browser usually doesn't help. At some point IE or other browsers will be installed back and you will have the same problem. If you use NAT for Internet Browsing, you can use a firewall to fillter out the traffic. If you use HTTP Proxy, there are should be settings to block all traffic. Good luck!

Oh, dear.

Is your client really sure they want to do this?

There have been instances when firms have decided to curtail their employee's use of the Internet. And then had the nerve to whine when the employees cannot do tasks that rely on them accessing the Internet! (But guess whose fault THAT would be? Yours and the employees, of course! Not theirs!)

They might as well go back to using faxes. No, wait! Better, yet, rip the fax machines out and go back to using the postal system! ;)

Seeing as you're on workgroups and not a domain, can't you just go to each pc, log in as an admin and alter group policy?
Its gonna be a bit of a job doing it on so many pc's, but then thats your company's fault for not have a DC, tight gits.
That many pc and groups = DC for sure!!

Anyway, as long as your users log in as restricted users i'm sure you can do what i've suggested.

Did you notice that you just answered a question that is 6 years old?? I really hope that he got it resolved before now..

Yes, but the answer might be relevant to someone with a similar problem. ;)

Maybe, but his answer was cumbersome and wrong.. A simple router block would cover the whole network and take somewhat less than 60 seconds to do..

If a firm doesn't want workers to access the Internet, perhaps they should go back to using typewriters or pen and ink?;)