XP Network config to allow Printer access but block Internet.

[douggibbs]

We currently have a linksys wireless router in place and have three
computers, with XP Pro, on it using DHCP to obtain an IP from the
router.

How would I set up one of the computers (the one in the boys' room) on
our network so that it can access local resources, like printers and
files, but have no access to the internet.

Thank you muchly for any response.

 

[Jack \(MVP-Networking\).]

Hi
Successful Sharing involves some general consideration in Network settings,
http://www.ezlan.net/sharing.html
As well as specific adjustment of each computer according to what it is
allowed to be shared.
Vista File and Printer Sharing-
http://www.microsoft.com/technet/network/evaluate/vista_fp.mspx
Basic XP -
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/filesharing.mspx
Advanced XP - http://support.microsoft.com/default.aspx?scid=kb;en-us;304040
Printer Sharing XP -
http://www.microsoft.com/windowsxp/using/networking/expert/honeycutt_july2.mspx
Windows Native Firewall setting for Sharing XP -
http://support.microsoft.com/kb/875357
Windows XP patch for Sharing with Vista -
http://support.microsoft.com/kb/922120
Jack (MVP-Networking).

 

[Steve Winograd]

We currently have a linksys wireless router in place and have three
computers, with XP Pro, on it using DHCP to obtain an IP from the
router.

How would I set up one of the computers (the one in the boys' room) on
our network so that it can access local resources, like printers and
files, but have no access to the internet.

Thank you muchly for any response.

Assign the boys' computer a static IP address in the same subnet that
the DHCP server assigns. That will give the computer local area
network access.

Don't assign the computer a default gateway or DNS server address.
That will prevent it from accessing the Internet.

Give the boys limited user accounts so that they can't change the
network settings.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Lem]

We currently have a linksys wireless router in place and have three
computers, with XP Pro, on it using DHCP to obtain an IP from the
router.

How would I set up one of the computers (the one in the boys' room) on
our network so that it can access local resources, like printers and
files, but have no access to the internet.

Thank you muchly for any response.

If you think your boys are computer-savvy enough to get around the
suggestion Steve Winograd made, your Linksys router probably has the
capability to deny Internet access to any computer on your local
network. Target PCs may be identified either by IP or MAC address, and
the limitation can be configured by time of day and day of week, website
address(s) or keywords.



--
Lem -- MS-MVP - Networking

To the moon and back with 2K words of RAM and 36K words of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
http://history.nasa.gov/afj/compessay.htm

 

[John B]

So be sure to password the Linksys router; and to keep it behind a locked
door so JR cannot hit the reset button.

 

[John B]

This technique will also block JR from having e-mail access, right? After
all, e-mail works through IP addressing, and if JR's computer cannot find
the router, thanks to lack of knowledge of default gateway, then e-mail
cannot work either, right? (I haven't experimented with e-mail this way, so
my question is not merely rhetorical.)

How would you adjust your technique to allow e-mail, while blocking internet
surfing, in general?

Removing browser software from JR's computer comes to mind. But that will
SURELY tempt JR to engineer his way around that strategy.


I have long surrendered to my sons on this point. The older one (age 15) is
extremely adept, though I can still teach him a thing or two. Fortunately,
they are "good kids." Hmmm... Now you've got me worried.

 

[John B]

You can surely lock JR out of the internet if you double home YOUR computer.
Be sure to use different IP NETWORK addresses for your two nets; no bridging
here! One net goes to router and internet, while second net links JR's
computer with your computer. A problem arises if a third computer needs
internet access, and also possesses resources that JR must access.

Double homing become impractical if you are relying on wireless networking
in your home. In such case, you'll need a second wireless broadcasting
device, or "access point" to propagate the second network. Common wireless
routers can be implemented to serve in this role. But for the sake of
argument, I will assume your SOHO is wired, rather than wireless. You might
then have to pull some more ethernet wire, depending on the layout and
topology of your SOHO.

To resolve the "problem" mentioned in the first paragraph of my response,
you can double home the third computer, as well. Now your son can access
the third computer's shared resources, while still being blocked from
internet; i.e, blocked from the FIRST IP NETWORK, thanks to lack of routing
in YOUR computer and the THIRD computer. If your son is clever enough to
turn either of these two XP Pro computers into routers, then this plan falls
apart. This is theoretically possible, and the instructions to do this are
"available on the internet."

What's your son gonna do with internet access?? Build an atomic bomb?!

Ultimately, your strategy will boil down to your ability to keep passwords
away from JR's access. Be sure to password the "administrator" that is
accessible only while booting up into safe mode. My SON told me about that
one!

Configuring routers to block access boils down to keeping said router(s)
behind locked doors, because JR can press the reset button on any router.
Physical locking of passageways has its own hazardous implications.

 

[John B]

Sent via OE by John, from MERCURY

Assign the boys' computer a static IP address in the same subnet that
the DHCP server assigns. That will give the computer local area
network access.

Don't assign the computer a default gateway or DNS server address.
That will prevent it from accessing the Internet.

Give the boys limited user accounts so that they can't change the
network settings.

I don't have XP Pro here, to try this myself.
So the boys have limited accounts, and do not know administrator-level
passwords.
It is safely assumed that limited users cannot change the IP settings, so as
to add the default gateway.
Question:
Can limited users perform command line functions ("route add") so as to
change the routing table inside their computer? This could essentially
provide the route to the gateway, and the world.

 

[Steve Winograd]

Sent via OE by John, from MERCURY


I don't have XP Pro here, to try this myself.
So the boys have limited accounts, and do not know administrator-level
passwords.
It is safely assumed that limited users cannot change the IP settings, so as
to add the default gateway.
Question:
Can limited users perform command line functions ("route add") so as to
change the routing table inside their computer? This could essentially
provide the route to the gateway, and the world.

Limited users can't change the route table or assign a DNS server.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[douggibbs]

You can surely lock JR out of the internet if you double home YOUR computer.
Be sure to use different IP NETWORK addresses for your two nets; no bridging
here!  One net goes to router and internet, while second net links JR's
computer with your computer.    A problem arises if a third computer needs
internet access, and also possesses resources that JR must access.

Double homing become impractical if you are relying on wireless networking
in your home.  In such case, you'll need a second wireless broadcasting
device, or "access point" to propagate the second network.  Common wireless
routers can be implemented to serve in this role.  But for the sake of
argument, I will assume your SOHO is wired, rather than wireless.  You might
then have to pull some more ethernet wire, depending on the layout and
topology of your SOHO.

To resolve the "problem" mentioned in the first paragraph of my response,
you can double home the third computer, as well.  Now your son can access
the third computer's shared resources, while still being blocked from
internet; i.e, blocked from the FIRST IP NETWORK, thanks to lack of routing
in YOUR computer and the THIRD computer.  If your son is clever enough to
turn either of these two XP Pro computers into routers, then this plan falls
apart.  This is theoretically possible, and the instructions to do this are
"available on the internet."

What's your son gonna do with internet access??  Build an atomic bomb?!

Ultimately, your strategy will boil down to your ability to keep passwords
away from JR's access.  Be sure to password the "administrator" that is
accessible only while booting up into safe mode.  My SON told me about that
one!

Configuring routers to block access boils down to keeping said router(s)
behind locked doors, because JR can press the reset button on any router.
Physical locking of passageways has its own hazardous implications.

Thank you for your response. I the little fellas (14, 12) reset the
router they will have to deal with more than just restricted internet
access. )

 

[douggibbs]

We currently have a linksys wireless router in place and have three
computers, with XP Pro, on it using DHCP to obtain an IP from the
router.

How would I set up one of the computers (the one in the boys' room) on
our network so that it can access local resources, like printers and
files, but have no access to the internet.

Thank you muchly for any response.

THANKS TO EVERYONE FOR YOUR RESPONSES.