Jim's suggestion is great, and is the preferred method, unless you're
using laptops that roam, or otherwise have no control over the edge of
the network your PCs connect from. In that case, you have to make the
configuration on the client side, and lock things down to where your
tweaks are difficult for the average user to undo.
I suggest using a Proxy Auto configuration script that is set up to
proxies all traffic destined for websites other than the one you want to
allow to a bogus proxy server, say 127.0.0.1:8080. The one site you
allow, will be connected to directly. Take the following text, paste it
into notepad, and save it in C:\program files\internet explorer\.
function FindProxyForURL(url, host)
{
if (shExpMatch(host, "*.whathever.com"))
{
return "DIRECT";
}
else
{
return "PROXY 127.0.0.1:8080";
}
}
This script will allow a connection to any host at "whatever.com", and
all other traffic is proxied to 127.0.0.1:8080.
IE allows the PAC to be configured via group (or local) policy.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Jim Harrison
Sent: Monday, April 09, 2007 12:26 PM
To: Rocky; focus-ms@securityfocus.com
Subject: RE: blocking thru IE
Rather than trying to control it at the client (where the user can
potentially disable your tweaks), exercise this control at the edge.
Whether you use ISA, Checkpoint, Pix, BlueCoat, Juniper or WinGate, the
process is basically the same.
1. Determine where that web site lives. This can be difficult if its
hosted by one of the "big kids", like Akamai, since they use a
globally-dispersed, short-lived RR-name scheme (20 sec TTL).
2. Block those requests by name and IP at the edge.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Rocky
Sent: Friday, April 06, 2007 10:49 AM
To: focus-ms@securityfocus.com
Subject: blocking thru IE
Hey guys, is there a way to block everything on IE6 or Firefox 2.0 and
just permit one website? i'm playing with IE content but i just can't
get
it done.
thanks a lot.
rocky
All mail to and from this domain is GFI-scanned.
Confidentiality Notice: This e-mail and any attached files transmitted may
contain confidential and privileged information and are intended solely for the
use of the individual or entity to which they are addressed. If you are not the
intended recipient or the person responsible for delivering the e-mail to the
intended recipient, be advised that you have received this e-mail and any
attached files in error and that any use, dissemination, forwarding, printing
or copying of this e-mail and /or any attached files is strictly prohibited. If
you have received this e-mail in error, please immediately notify the sender
and destroy the original message and any attached files.
