Thursday, May 17, 2012

How do I restrict access to Internet Explorer so that only certain sites can be visited?

2006-10-19: Internet Explorer can be configured to restrict access so that only a short list of approved sites can be accessed by anyone without a special password. Here's how to do it.
First, though, think about your audience. This can be a useful technique for a special-purpose computer in an office. For your kids, it is less effective because kids can find ways around such limitations. They might install an alternative web browser, disable Content Advisor through the Windows Registry, or boot the computer from a CD instead. And useful research for school often involves accessing many sites you haven't seen before. For young children, this approach may be useful, but for teenagers there's no substitute for supervision and education. Put their computer next to yours!
This is not a high-security "kiosk mode" solution. Skilled users can disable Content Advisor by manipulating the Windows Registry or booting from CD. With Windows XP Professional you can reduce the risk by using unprivileged accounts for ordinary users.
Ready to go? Great! Here's how to lock down Internet Explorer so that only certain sites of your choosing can be accessed. In a nutshell, we'll do it by telling Internet Explorer to:
1. Use a website "rating service" that doesn't actually rate any sites,
2. Forbid users from accessing sites that are not rated, and
3. Add the sites we do want to our private list of "Approved Sites" that can be accessed even though they are not rated.

How To Lock Down Internet Explorer

1. Start Windows Notepad. Follow these steps: Start Menu -> All Programs -> Accessories -> Notepad
Alternatively, right-click on the desktop (not an icon, on a blank area of the desktop), select "New," and select "Text Document."
2. Copy and paste the following into Notepad (everything within the parentheses). This is the rating service code for our special rating service that hates everything!

(
  (PICS-version 1.0)
  (name "Thumbs Down")
  (description "A fake rating service that doesn't rate anything.")
  (rating-system "http://notreally.madeup")
  (rating-service "http://notreally.madeup")
  (category
    (transmit-as "Please Use The Approved Sites Tab Instead!")
  )
)


3. Pull down the "File" menu of Notepad and pick "Save As..."
4. In the "File name:" field, type exactly this (copy and paste):
c:\windows\system32\thumbsdown.rat
Note: if you leave out the .rat extension it will not work.
This is correct for most modern Windows computers. Windows NT and 2000 users will need to substitute c:\winnt for c:\windows. If you have installed Windows in a nonstandard place, you will need to account for that. 99% of readers don't need to worry about this.
5. Click "Save" to save the file.
6. Exit Notepad (File -> Exit).
7. Launch Internet Explorer if it is not already open.
8. Click on the "Tools" menu of Internet Explorer.
9. Select "Internet Options..."
10. Select the "Content" tab.
11. Find the "Content Advisor" box (near the top of the window) and click on "Enable..."
12. If you have ever used Content Advisor before, you will be prompted for your Content Advisor supervisor password. If not, you will be invited to choose one, and to supply a hint to help you remember it.
If you have lost your supervisor password, you will need to delete it so that you can set up a new one. See the excellent PC Hell article, How to Remove Content Advisor Password in Internet Explorer.
13. You will see a message informing you that "Content Advisor has been turned on." Click OK. 14. Click on "Settings" in the "Content Advisor" box.
15. Click on the "General" tab.
16. Make sure "Users can see sites that have no rating" is not checked. Leave "Supervisor can type a password to allow users to view restricted content" checked. Trust me here: you will need to make exceptions and add new allowed sites, and you won't want to come all the way into "Internet Options" just to do that. Things come up.
17. Click on "Rating Systems..." in the "Rating systems" box.
18. If you see any Rating Systems listed, select each in turn and click the "Remove" button. You are doing this so that we can set up our special "fake" rating service that doesn't rate any sites. You can add other rating services back later if you change your mind about using this method.
18. Click the "Add" button. When the list of files appears, select thumbsdown. If you do not see it, you probably didn't save thumbsdown.rat to the right place in step 4. Go back and correct that.
19. You will see thumbsdown in the list of rating systems.
20. Click "OK" to close the "Rating Systems" dialog.
21. Click on the "Approved Sites" tab in Content Advisor. Type in the name of a site you DO want to allow users to access, such as:
www.boutell.com
Then click "Always." You don't need the "Never" button as all other sites are already forbidden. You can use the "Remove" button if you add the wrong site by mistake.
22. Repeat step 21 for as many sites as you wish. You can add more sites later, here in the Content Advisor or via the dialog box that pops up when a user tries to access an unapproved site (only with your password, of course).
23. Click "OK" again to dismiss "Internet Options."

Making Sure It Worked

That's it! Internet Explorer is locked down. But did it work? Time to make sure!
First, try to access an approved site. You will get through with no warnings, as long as the site is listed in your "Approved Sites" list and spelled correctly there. Note that "sub-sites" like "mail.example.com" are not automatically approved just because "example.com" is approved! You will need to list them separately.
Now try to access a site you did not allow. You will see Content Advisor's "Sorry! Content Advisor will not allow you to see this site" page. As the supervisor, you can select "Always allow this Website to be viewed," "Always allow this Web page (one page, not all pages on the site) to be viewed," or "Allow viewing only this time" and enter your supervisor password. Other users won't have the password, so they will not be able to access the site. All they can do is click Cancel and go back to a more appropriate site.
This is a useful technique for small-office workstations and computers used by small children. But as I've mentioned, there are ways around this. Teenagers and employees with serious discipline issues can and will edit the registry or boot computers straight from a CD. The main purpose of techniques like this one is to keep honest people honest and remind them that the computer is not to be used for unauthorized purposes. Education and supervision are the only effective methods of controlling the Internet behavior of older children. And keep in mind that email and instant messaging contacts with adults unknown to you are far more dangerous than websites. If you take supervision of your child's Internet activities seriously, set up your child's computer next to your own!

No comments:

Explaining DNS Concepts - DNS Servers-DNS Queries-DNS Records

3 types of DNS queries— recursive, iterative, and non-recursive 3 types of DNS servers— DNS Resolver, DNS Root Server and Authoritative Name...