I have a Windows 2000 Server on a Network with 6 computers. I have a
Netopia Cayman Router.

Here's what I want to do. 

Two of my employees surf the web WAY too much. There are a few sites I
would like to ban from their surfing, HOWEVER before 9am and AFTER
5pm, I want them to be able to look at those sites if they please.

Is there some type of software I can install for the Router, or for
the server, that will Control their ability to surf certain sites? I
need them online all day long there are just a handful of sites which
need to stop being played on.

Please help!!

---

Request for Question Clarification by maniac-ga on 10 Sep 2003 10:39 PDT

Hello Rooey,

A "complete" solution can be done in a variety of ways - let me
outline a few to see what is easiest for you to implement. Many of
these require some method to "turn on" or "turn off" the access - I
suggest a script or batch job to do that. I've labeled these [enable]
instead of repeating that phrase. Indicate the operating system(s)
available so I can suggest a good solution.

[1] At a large company, this is often done through use of a
combination firewall / HTTP proxy server. You configure the proxy to
deliver "Do no go here" messages for the banned sites. [enable] This
also has an advantage that it can help reduce the load on your
internet connection (by caching locally frequently used pages). A
dedicated PC could do this quite nicely for a small office. I can
suggest some configurations / tools to implement this.

[2] If the list of IP addresses to ban is relatively modest, you could
 a. Add static routes to a local machine. [enable]
 b. Add host entries for the named hosts to point to 127.0.0.1 or
something similar. [enable]
These basically require no new equipment but has some administrative
hassles.

[3] You could establish a company policy that web [basically all
computer] access can be monitored and should be used for business use.
Occasional [not way too much] personal use is allowed and review this
with all employees. If they continue to abuse the policy - I'd start
looking for new employees.

[4] Install a "surf guard" (or similar product) and configure to block
access to the sites. This should be put on all the machines, not just
the two abusers.

I would also question why you would allow access to these sites after
5pm. If the sites are not work related, make it clear they are banned
and cut off access unless there is a clear business case for access.

Do you want an answer that pursues one or more of these options?
Please advise.

  --Maniac

---

Clarification of Question by rooey-ga on 10 Sep 2003 11:21 PDT

Thanks for the quick reply.

Here's the deal. They know the policy, they abuse it anyway.

I want to shut them off from 9 to 5 so they cannot visit 5 different
sites, (espn.com, etc.)

IS there something in particular I can do, so that 9 to 5 they cannot
visit those sites? They work late sometimes, and I don't worry about
that after hours.

I want it automated, so I dont have to personally do it. 

Its fine if it does it to all employees as well, not just the two.

Let me know what I can do!

---

Request for Question Clarification by webadept-ga on 10 Sep 2003 13:04 PDT

Hi, 

maniac-ga's suggestion #2 could be done automatically with a simple
Perl script, which is timed on the server running your DNS. The host
file is always looked at first, no matter what the DNS says, so you
build a host file that blocks the sites, and one that lets everything
through, and switch them out at 9 and 5. really simple. Don't even
need Perl really, a simple batch job will do the trick.

I'm sure maniac-ga can elaborate more on this, just didn't think about
it at the time. Personally I would switch it out at 6 am, rather than
9, just to make sure it is on when they get in.

webadept-ga

---

Clarification of Question by rooey-ga on 10 Sep 2003 13:54 PDT

Part of their job is to surf the web. 

The question isn't really about rules. Pretend this had nothing to do
with employees for a second.

Hypothetically....

I want to block the use of 6 sites from 9am to 5pm. How do I do it,
and what script should I use?

Thanks!

Hello Rooey,

Based on what you described, let me walk through the second solution
in some detail. I can certainly work out one of the other solutions if
this does not completely satisfy you.

First, you need to find the host file and make a copy and name it
hosts.open which has the current contents. The hosts file should be at
  C:\winnt\system32\drivers\etc\hosts
If it is not there, let me know so I can check tomorrow AM when I have
better access to a Windows 2000 machine and figure out if other
locations may apply.

Second, make a second copy (hosts.closed) that has the same
information plus lines for each of the blocked sites. The added lines
will be of the form:
  127.0.0.1 www.espn.com
  127.0.0.1 espn.com
and so on. For an extensive example of these added lines, check out
  http://www.ecst.csuchico.edu/~atman/spam/adblock.shtml
which blocks a number of advertising sites. You may want to do this as
well; that would get rid of the annoying ads which are probably not
business related either. This page also makes a comment related to
changing proxy settings - based on what you said in your question and
clarification, that should not apply.

Third, we need a pair of simple .BAT files to open / close the access
to the network. This can be something as simple as
  COPY C:\winnt\system32\drivers\etc\hosts.closed
C:\winnt\system32\drivers\etc\hosts
for the close access file and
  COPY C:\winnt\system32\drivers\etc\hosts.open
C:\winnt\system32\drivers\etc\hosts
for the open access file. [those should both be one line BAT files]
Let's call them CINET.BAT and OINET.BAT for the close and open files
respectively. You can create them with notepad or any other text
editor.

Next, we need to test this. Open a command window and run the
CINET.BAT file. It should run without error (or any messages). Bring
up the web browser and try to access espn.com and confirm that you get
blocked. Now run the OINET.BAT file. Again - no messages or errors are
expected. Try to access espn.com and confirm that it works. If it is a
work day - run CINET.BAT one more time to leave access blocked. If
these both work OK - you are set for the final step to schedule the
scripts to run each work day. If not - be sure to use a clarification
request so I can walk through fixing the problem.

Finally, we need to schedule the close file to activate each day at
9am and the open file to activate at 5pm each day. Using
  http://www.jsiinc.com/subg/tip3200/rh3215.htm
as a guide, you can use a pair of AT commands to schedule the tasks.
This assumes the task scheduler is already set up - if not, let me
know and I can walk you through that as well.

For example, if those two BAT files are in the same directory as the
hosts file, open up a command window and enter commands like:

  AT 09:00 /every:M,Tu,W,Th,F C:\winnt\system32\drivers\etc\CINET.BAT
  AT 17:00 /every:M,Tu,W,Th,F C:\winnt\system32\drivers\etc\OINET.BAT

to do enable swap. You may be able to set this up using the GUI
inteface, but according to the page above - that may not work so I'd
try the above first. I also have this set so it works every work day
(not weekends) at the specified time. I assume you don't care about
weekends - if you do, add Sa and Su to the list of days.

At this point you should be set up to block the sites you don't want
accessed during the day. Note that you can update hosts.closed at any
time and the changes will take effect right away.

To find this information, I searched using phrases such as:
  windows 2000 location hosts file
  schedule job windows 2000
  block web access windows 2000
  blacklist web windows 2000

The last couple provide references to a number of sites with
commercial web site blocking software. They would give you a more
capable / polished solution. For example:
  http://www.codework.com/bcontrol/product.html
  http://www.nnstore.com/products/netnanny5/
there are a number of others, but I would make sure they include a
"blacklist" capability instead of (or in addition) to the general
category blocking.

Good luck with your business and don't hesitate to ask for
clarification if this does not work and/or is unclear how to do.

  --Maniac

---

Request for Answer Clarification by rooey-ga on 10 Sep 2003 20:35 PDT

Maniac,

Thank you so much for your clarification, and your answer was very
thorough!!

I have ONE question regarding this answer:

1) If I do as follows (according to your answer), it will change the
hosts file on the server, not allowing the Server to surf those
sites.... How do I push the hosts file to the local computers from the
server.

---

Clarification of Answer by maniac-ga on 10 Sep 2003 21:22 PDT

Hello Rooey,

There are at least two ways to do this.

[1] After you check it out one one machine and have all the files, go
to each machine (as an administrator), copy the .BAT and hosts files
and then do the AT command on each one to set up the enable / disable.
[2] IF you have shared folders enabled (in particular the C drive)
where the administrator on the server can mount / copy files. You
could do the file copying from the server using the shared folders.
However, I would still expect you to have to set up the scheduled
tasks on each machine.

There are some variations on that. For example, there are remote
control programs that allow you to control another machine from a
server - you could use that to avoid having to sit in front of each
machine.

Another alternative that may be feasible - IF all the local computers
use the server as the Domain Name Server (DNS).
 - Update the file on the server using the original method.
 - Check to see if the local computer is now blocked. If so - you are
set by just updating the server, all local computers are blocked. If
not - try restarting the DNS server.
In either case, the next time the local computer asks for the IP
address of one of the blocked hosts, they would get the local address
(and thus get blocked). In this way - you only have one machine to
apply the updates to.

One other thing that comes to mind. This method (of changing the hosts
file) does not completely block access from a site like espn.com. IF
the user knew the IP address number of www.espn.com, they could type
in the number to attempt to get through. It may work - it may not, it
depends on how the web site is coded up. That method would require a
bit of arcane knowledge however, and is not likely something your
users will know about.
  --Maniac

If they abuse the policy, just take away the sites altogether!

rooey...

While suggestion #2, as given by maniac-ga, and fleshed-out by
webadept-ga, would be the simplest means and likely my first
choice, you might want to consider that, human nature being
what it is, if you successfully block only those specific
sites, such as ESPN, your employees will adapt by using 
different sites to obtain what they're seeking.

You would then be faced with updating the batch file with 
the alternative sites they choose, on an ongoing basis.
I would suggest that, if possible, you use a solution
that doesn't require this ongoing struggle, though I 
personally don't know what this would be.

http://www.watchguard.com/products/webblock.asp

Our company uses this site...

Creating host file entries really isn't a solution but rather futile
attempt that can be EASILY bypassed by using, and VERY inronically,
Google.

All someone has to do is use Googles language translation feature to
view these sites.

goto Google
Do a search on .... fudgesicles (it really doesn't matter what you
search for)
Click Language Tools at the top pf page
scroll to the "Translate a web page:" text box
Enter in you site  (espn.com)
Choose to translate from German to English (you always need to
translate into English)
and you end up with a URL as such

http://translate.google.com/translate?u=http%3A%2F%2Fespn.com&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools


Basically using Google as a proxy of sorts, COMPLETELY bypassing any
restrictions placed in the hosts file (unless ofcourse you plan on
banning Google (bad)).

My point is that you need to devise a more clever solution than host
file entries