Multiple Site Administration

[Randy Whitehead]

Can anyone tell me the best way to setup Win2000 so that I can keep users
from installing any adware, games, trojans, etc. Currently, all of our
sites are setup as workgroups and each user has administrative privilages.
I was thinking about moving each site to a domain (just for user
administration), but didn't know if that would also help me in these other
areas.

Second, what is the best way to limit the web sites that a user can access?
I am looking for something fairly inexpensive (I would have to buy for 18
sites) and that would also be fairly easy to administer.

Also, most of our sites have either Cable/DSL or T1 connections and are
using a Linksys Cable/DSL router. Is that sufficient protection or should I
be using a higher end unit?


Thanks for all the help,

Randy

 

[Steven L Umbach]

As long as the users are local administrators it is almost a lost cause to
try to restrict them. A domain would allow you to apply Group Policy but
they could logon to the local machine to avoid receiving user configuration
Group Policy. If you have any XP Pro machines, you could use Software
Restriction Policies to lock them down even if they are local administrators
unless they unjoin their machines from the domain. Bottom line is to see if
you can have them function without being local administrators which that
alone would solve most of your problems and then use Group Policy to further
restrict them including setting standards for Internet Explorer Web Content
Zones and prevent them from changing settings..

To limit what sites they can visit ideally something like Microsoft ISA
server would be used. That probably is not in the cards for you. Many of the
NAT/firewall devices however can control access to the internet based on
URL's, keywords, domain names, or IP addresses of websites. You would want a
device that can "block all except". Keep in mind that users may be able to
work around some restrictions by entering the IP address of a site in the IE
address bar which is why using IP addresses is the best way to control
internet access, but may require ongoing tweaking.

The Linksys devices [as other low end ones] do a surprisingly good job and
do not require user limits fees. They may however not allow much in the way
of controlling oubound access as the more rules a device must process, the
more powerful a processor and memory it needs. I suggest that the devices
you use be true SPI firewalls such as the Netgear ProSafe line [as low as
$75] and some Linksys have SPI also. You really want to control outbound
access as that can really cut down on a lot of the garbage your users or
getting from the internet. The best tactic is to have a block all rule and
add the allowed exceptions such as port 80 tcp for http, etc. You could also
assign static IP addresses to those computers that should have full access
and create separate firewall rules for them. If you are upgrading those
devices or still purchasing, take a look at the new Linksys RV082 which is
reasonably priced [around $275] and is a big step up from entry level NAT
devices. See the link below for that device and you can read the manuals
from any of these manufactures at there websites to see the capabilities
before you buy. --- Steve

http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=589