BenJi said:
But I dont want to go that deep.
These rules are for mobile units used by field technicians. I want to
implement this kind of rules, and I know it is possible, as I saw them
implemented in a public library. Browsing was limited to a dozen of sites,
through the Windows registry...
The enablement and list of sites specified by Content Advisor are stored in
the registry, so instead of going through the UI interface to Content
Advisor under Internet Options to update the registry keys, you could just
put them into the registry directly.
Internet Options also lets you specify which sites to include in the
Restricted Sites security zone but that is just another UI to update the
registry so you could also directly add/change values in the registry.
However, the Restricted Sites security zone does not bar you from visiting a
site, only in what features the browser will support when you download pages
from there.
The hosts file can be used to block access to sites but only by specifying
their IP address, and there may be several IP addresses used by front-end or
boundary hosts in a host farm for a domain. You can also only block sites
by having the hosts file redirect to localhost (127.0.0.1) rather than
specify only which hosts to allow. There are far too many IP addresses for
all hosts you want to block to put into a hosts file.
If you don't want to use a software firewall, IPSEC, or censorware, and
which blocks changing its settings unless an administrator account is used
or a password provided that only you know, and only if they hash their
registry keys so they cannot be identified by name to a hacker and their
values are hashed to provided detection of the change, then editing some
registry keys won't do you any good unless something actually uses those
registry keys. You could, for example, go to the advanced properties for
filtering options in your TCP/IP protocol and define which IP addresses (not
IP names) to allow or block, but again the users can change those although
you might thwart some users who don't know how to get around admin
permissions under Windows.
Look at the TCP/IP properties for your LAN connectoid (or dial-up if that is
what you use), advanced, select TCP/IP protocol, properties, advanced,
options, TCP/IP filtering, properties. Might be good enough for what you
want. I haven't checked this feature but I suspect it adds registry
settings under the
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip" registry key.
So if you make sure that none of your users's accounts are in the
Administrators group then they cannot [directly] edit the registry or load
..reg files to change any settings in there. If you give them admin
permissions for their accounts then you give them the same permissions that
you have.
