Page 1 of 1 1
Topic Options
#35924 - 2003-02-02 09:38 AM deny internet acces by group
gf Offline
Fresh Scripter

Registered: 2001-07-08
Posts: 29
Hi i am administrating 25 clients with win 98 in a win 2000 server. Is it posible to deny internet acces for a group for eksampel: pupils?

regards
glennf

Top
#35925 - 2003-02-02 03:20 PM Re: deny internet acces by group
pvds Offline
Hey THIS is FUN
*****

Registered: 2001-04-14
Posts: 201
Hi,

Yes it can be done with MS proxy or ISA server.

GR Peter

Top
#35926 - 2003-02-02 04:12 PM Re: deny internet acces by group
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
Or any other proxy server, e.g. free Linux-based proxies.

BTW, as this question is not KiXtart-related it should rather be posted in the 'General' forum.

[ 02. February 2003, 16:13: Message edited by: sealeopard ]
_________________________
There are two types of vessels, submarines and targets.

Top
#35927 - 2003-02-03 08:47 AM Re: deny internet acces by group
jpeachman Offline
Fresh Scripter

Registered: 2002-11-18
Posts: 39
It can be done using KiXtart--I'm doing exactly that at a public school. If your browser is Internet Explorer, you don't actually have to use a proxy server, but this method does require you to create a registry entry for a "phantom" proxy server:
code:
WriteValue("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings","ProxyServer",
"ftp=0.0.0.0:80;gopher=0.0.0.0:80;http=0.0.0.0:80;https=0.0.0.0:80","REG_SZ")

With this entry in place (which only has to be done once per user account), the following code can be used to turn access on and off:
code:
IF $internet="Y"
WriteValue("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings","ProxyEnable","0","REG_DWORD")
WriteValue("HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel","Proxy","0","REG_DWORD")
ELSE
WriteValue("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings","ProxyEnable","1","REG_DWORD")
WriteValue("HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel","Proxy","1","REG_DWORD")
ENDIF

You can set the value of $internet according to whatever criteria you wish, including group membership. You can also get fancier by turning on or off the IE icon on the desktop, and hiding or showing it in the start menu and quicklaunch bar.

One caveat: on your Windows 98 clients, the HKCU hive (where these entries need to be made) isn't loaded yet when the normal login script is processed. I handle that by including all the HKCU entries for Win9x clients in a second script (called logon9x.kix), and create a RunOnce entry invoking it in my primary login script:
code:
WriteValue("HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce","Logon9x",
"kix32.exe \\servername\netlogon\LOGON9x","REG_SZ")

Hope this helps!

Joe

Top
#35928 - 2003-02-03 02:37 PM Re: deny internet acces by group
gf Offline
Fresh Scripter

Registered: 2001-07-08
Posts: 29
thanks

This is the kind of code i was looking for.

Anyone knows it can be done with a proxyserver

Top
#35929 - 2003-02-03 03:40 PM Re: deny internet acces by group
Stephen Wintle Offline
Seasoned Scripter

Registered: 2001-04-10
Posts: 444
Loc: England
hello I use the following to good effect
code:
 

;---------------------------------------Removes internet access PER GROUP ----------------------------

;disable proxy
If InGroup("YR6")
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\disanet.reg"
EndIf

;disable proxy
If InGroup("YR8")
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\disanet.reg"
EndIf

;disable proxy
If InGroup("YR9")
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\enanet.reg"
EndIf

;disable proxy
If InGroup("YR10")
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\disanet.reg"
EndIf

;disable proxy
If InGroup("YR11")
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\disanet.reg"
EndIf

;---------------------------------------Removes internet access PER USER ----------------------------

;disable proxy
If @USERID="9368KASHIF"
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\disanet.reg"
EndIf

;disable proxy
If @USERID="9286NAVEED"
$rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
Shell "regedit /s c:\WINDOWS\disanet.reg"
EndIf


Regards

Steve Wintle
_________________________
Dont worry because a rival imitates you. As long as they follow in your tracks they cant pass you!

Top
#35930 - 2003-02-03 03:43 PM Re: deny internet acces by group
Stephen Wintle Offline
Seasoned Scripter

Registered: 2001-04-10
Posts: 444
Loc: England
I guess Id better tell you that disanet and enanet both toggle the proxyserver setting per user and i have copied each reg setting to the clients..

Steve
_________________________
Dont worry because a rival imitates you. As long as they follow in your tracks they cant pass you!

Top
#35931 - 2003-02-03 03:53 PM Re: deny internet acces by group
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Controlling internet access through reg hacks rather than by proxy is relying on ignorance. What's to stop the students from changing it after logon?
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#35932 - 2003-02-03 05:29 PM Re: deny internet acces by group
Stephen Wintle Offline
Seasoned Scripter

Registered: 2001-04-10
Posts: 444
Loc: England
IEAK....

Steve
_________________________
Dont worry because a rival imitates you. As long as they follow in your tracks they cant pass you!

Top
#35933 - 2003-02-03 05:34 PM Re: deny internet acces by group
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
I'm sorry, but IEAK cannot prevent even a novice cracker from reversing what the logon reg hack does.

That is just security by ignorance.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#35934 - 2003-02-03 06:33 PM Re: deny internet acces by group
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
The correct (and secure) way to enable/disable Internet access is by written policy and proxy server (free Linux-based for the continously cash-strapped schools).
_________________________
There are two types of vessels, submarines and targets.

Top
#35935 - 2003-02-03 10:23 PM Re: deny internet acces by group
jpeachman Offline
Fresh Scripter

Registered: 2002-11-18
Posts: 39
I don't disagree that running a REAL proxy server is more ironclad, but....

In real life, 99%+ of the students at my school don't have the skills or knowledge to begin to attack the "problem" of bypassing a reg hack, nor do even the more knowledgeable among them know this is WHY they can't get on in the first place. We do remove display of all IE icons on restricted accounts, and have limited Windows Explorer to local folders only. We've actually done a pretty decent job of closing loopholes through which they might attempt unauthorized internet access, even on Windows 9x machines. They don't have access to Internet Options, registry editing tools, a command prompt, etc., can only run authorized programs, and local hard drive contents are hidden. And our students' computer access is monitored, in that staff are present and screens visible when students are using them.

There are further blocks which could be applied, such as manipulating Content Advisor settings, if you want another line of defense. If you don't mind running more than one network protocol, you might even try fiddling with TCP/IP settings. But in several years, it hasn't been a problem yet, though I'm not oblivious to the possibility--and I'm always looking for new ways to crank up security (I even challenged a gifted student who worked with me to come up with creative ways to hack our system, and used the results to improve our security). But in the end, this is less intended as an absolute lockdown than as a practical management tool. Backing everything up with written policies defining consequences for unauthorized tampering with the system is an essential element, too.

Frankly, as long as some accounts have internet access and some don't, the greater danger probably lies in students obtaining access to passwords letting them use someone else's account, which would be an issue even with a proxy server in place. We all hear that "social engineering" represents the greatest threat to most systems.

I'm not going to say this is the best possible solution, but the question was raised in the KiXtart forum, which I take to imply asking can this be done using KiXtart, and the answer is yes, it can. In our case, there are some practical problems with using a proxy server, with some machines on our network being maintained and controlled by our district, and others at our site level, with different rules and access needs being applicable. It's not necessarily that it can't be physically done, but there are some very real administrative obstacles which we're working with here. Meanwhile, we've come up with an approach that is getting the job done.

Joe

Top
#35936 - 2003-02-04 10:51 AM Re: deny internet acces by group
Darren_W Offline
Hey THIS is FUN
*****

Registered: 2001-10-10
Posts: 208
Loc: Bristol, England
Hi,

You don't need to install a linux server to use Squid as there is a precompiled GPL version that will run on NT/2000 available from here.

There may be some advantages to this with improved speed from cacheing and as mentioned above:

Link to Site

Think this UDF May be handy to: Proxy UDF

Darren

[ 04. February 2003, 10:54: Message edited by: Darren ]
_________________________
I want to share something with you - the three sentences that will get you through life.
Number 1, 'cover for me.'
Number 2, 'oh, good idea, boss.'
Number 3, 'it was like that when I got here'.

Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 466 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.063 seconds in which 0.024 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org