We connect to the internet through a LAN (using the modem SpeedTouch
585), and we want to disable access to chat programs like MSN
Messenger and Yahoo Messenger and some websites but only want to
disable it for specific users and not all the users connecting to the
LAN.

---

Clarification of Question by desert_rose-ga on 21 Jan 2006 09:17 PST

I have access to the computers that need to be blocked from accessing
the chat programs, can someone tell me how to do that please.

Generally this is an administration capability so I advise you to
install Active Directory Server in your network through which you will
be able to block whatever program (using Group Policy). Regarding the
websites you can configure the server to block them by installing
simple Firewall program.

This is really a simple matter if you have access to the network router.
Open a web page, go to http://192.168.1.1 or sometimes http://192.168.2.1
This should be the router setup page.  

Here you can do all sorts of administrative things.  In my router
setup I can restrict ports for times of day even.  Each computer will
have a local ip address, usually 192.168.1.2 or
192.168.1.3 ect You choose which computer and which port to block at which time.

Yahoo Messanger is on port 5050, if you only want to block webcam port 5100.
MSN Messanger operates on 1863.

check out this site for more ports
http://www.chebucto.ns.ca/~rakerman/port-table.html

As for wesites you my be able to block them as well in the router setup.

I hope this helps.

I have access to the network router, which is http://10.0.0.138 by
default. but my router has limited options (SpeedTouch 585) i can't
block access for specific users if i choose to block it blocks for all
users on the network, unless there is another way i don't know about.

There are many commercial products available to achieve what you want. 
1. Checkpoint Firewall. Which can be integrated with ADS to to
block/grant  user level access to outside world on internet.

2. Microsoft ISA Server integrated with ADS to provide access to specific users. 

Please verify the version of these products for compatibility in your
environment before finally deciding.

if u need any third party softwares please try the CCProxy, this is
15day trial, and supports  only 3 users at a time.
see here: http://www.youngzsoft.net/ccproxy/

You can block instant messaging programs at 2 different points
1- Over network
2- Via desktop security

To block access over the network, all internet connectivity must pass
through the control system. A control system can be a firewall, or
proxy. Usually proxies are much more effective since they work at
application layer explicitly (most of the time)

But the ultimate control can be applied from the desktops. All desktop
security suites have a feature called "Application control" If you
enable application control and manage it from a central point, you can
block the execution of the instant messaging applications

You can control the desktop applications also with central management
platforms (like active directory on Microsoft Systems)

THere are special dedicated IM proxies where you can deploy
sophisticated IM (instant messaging) policies..

So my question is about your budget.. I can send a a couple of
solution alternatives withing your budget range..

you can modify the hosts file on the computers to block chats / sites
this is a very rudimental way of doing it you can modify the hosts
file located at "C:\WINNT\system32\drivers\etc\hosts" for ex you can
add a line in hosts which says

www.yahoo.com 127.0.0.1

now you cannot access yahoo same way you can block all the messenger requests.

The more easier way would be to install a proxy server like winproxy
on the dailing machine.

hey,
    Here is my findings on how to block chat programs. Its bit long
but i found it useful. :-)

Background:
===========
Chat programs are very popular, and many are designed to be 'easy to
use'. In order to be easy to use, they are designed to work under a
wide variety of connectivity conditions, and automatically configure
themselves for connection by whatever means is available. This
automatic configuration makes it both easy to use, and harder to
block, because the programs themselves will go through a
trial-and-error sequence of looking for open ports to connect through,
and use proxies if possible. Often, proxy settings will be picked up
from Internet Explorer, but the programs usually want to make a direct
TCP connection to a central server to start.

The way these programs work is that a connection must be made to a
central server, through which communications to other users are
established. This is the key to blocking these programs - deny them
access to the central servers, and they cannot work.

1. Block Access to Login Servers via Proxy
   =======================================
The programs generally have options to connect behind a firewall by
entering proxy information, such as HTTP, SOCKS, or other. Some will
pick up the proxy configuration information to try from Internet
Explorer settings. Blocking a connection through a proxy is generally
pretty easy as all you have to do is enter the proper Deny URL rule.
Generally, the only proxy that will be used here is the HTTP Proxy,
possibly the Transparent HTTP Proxy.

The key here is to deny whatever login server is called out in the
configuration options for the chat program. Some may show you a
configurable entry, while others (like MSN Messenger) hide it.

Login server names - set up a Deny URL access rule for these sites

AOL Instant Messenger: login.oscar.aol.com, possibly toc.oscar.aol.com
and login.icq.com
MSN Messenger: gateway.messenger.hotmail.com (was login.gateway.hotmail.com) 
ICQ: login.icq.com and http.proxy.icq.com (Was icq.mirabilis.com and
login.icq.com previously)
Yahoo! Messenger: msg.edit.yahoo.com/* 
(Yahoo! Messenger: Might also need to block
messenger.yahoo.com/*andhttp.pager.yahoo.com/* Be sure to type in the
http on that last URL).

2. Redirect Traffic to Login Servers via Dummy Static Routes
   =========================================================
The first method should stop the usual connection routines, and the
second should stop access via a proxy (HTTP or SOCKS), but what if the
chat program piggybacks onto a DNS proxy (which ignores access rules)
or you have configured filter exceptions to allow outbound traffic on
some port that the chat program discovers?

This is where we, the all-powerful firewall admins, get evil and
tricky. We must determine the IP subnet of the login servers, and use
a series of static routes to reroute traffic to those subnets to the
bit bucket. As long as all traffic to the Internet has to go through
the BorderManager server, this method will ALWAYS work. However, it is
subject to those login servers staying on those same subnets! If the
login servers are relocated to another subnet, this method will have
to be updated with new addressing information. This method is also a
real sledgehammer approach - you won't be able to make an exception
for the admin (you) to get through and block everyone else.

A related method here would be to enter dummy DNS entries for the
login hosts (such as in the BorderManager HOSTS file and any internal
DNS servers), but that is relatively easily countered by someone
knowing what the real IP addresses of the login servers are.

I have two methods for finding out what addresses are being used. The
first is to do a DNS lookup using some sort of nslookup program to
find addresses for the login hosts (like login.oscar.aol.com). The
second is to use a packet sniffer like Ethereal (www.ethereal.com) to
capture packets from my PC when I tell the chat program to configure
itself. Then I analyze the requests made from my PC to see what the
chat program is trying to do.

Entering a static route in NetWare:
====================================
LOAD INETCFG, go to Protocols, TCP/IP, and go into LAN Static Routing
Table. Make entries for Network with the network numbers listed below,
using a next hop of an IP address that is within a network directly
attached to the BorderManager server. (Don't use an IP address
actually assigned to the server, or 127.0.0.1). For instance, if you
have a private IP address of 192.168.1.1 bound to the BorderManager
server, you can use a next hop address of 192.168.1.2 through
192.168.1.254 and it should work. If you were to put in an address
such as 10.0.0.1 (with no 10.x.x.x network address bound to the
server), it will be ignored, and the traffic will still be sent out
via the default route.

To redirect AOL Instant Messenger:
==================================
AOL's login servers (login.oscar.aol.com, and also login.icq.com) are
on these subnets/addresses, as of May 20, 2004:


host 64.12.161.153 
host 64.12.161.185 
host 64.12.200.89 
host 205.188.153.121 
host 205.188.179.233 
AOL's web-based chat server uses toc.oscar.aol.com, on a variety of
addresses in the 64.12.163.0 (255.255.255.0) network.

I suggest redirecting the following subnets, but this will also likely
block AOL entirely, not just instant messenger
64.12.161.0 (255.255.255.0), 64.12.200.0 (255.255.255.0),
205.188.153.0 (255.255.255.0) and 205.188.179.0 (255.255.255.0)



Microsoft may be adding even more in the future. I was still able to
block MSN Messenger with just default filter exceptions and the Access
Rule listed above, but should a new version of MSN Messenger come out
that is able to slip by the proxy rules, try redirecting an entire
subnet.
Redirecting subnet 64.4.13.160 (255.255.255.224) will prevent traffic
from reaching all addresses from 64.4.13.161 through 64.4.13.191.
(Changing that subnet to 64.4.13.128 and the subnet mask to
255.255.255.128 would expand the blocking to 64.4.13.129 through
64.4.13.255).

To redirect Yahoo! Messenger:
So far I have not had to redirect Yahoo! Messenger, but simply used an
Access Rule as listed above (like MSN Messenger). However, a reader
reports the following addresses in use on Nov. 29, 2001, should you
want to try the redirection technique.


csXX.msg.yahoo.com Series
216.136.175.143-145
216.136.225.83-48
216.136.225.12
csXX.msg.sc5.yahoo.com Series
216.136.226.209-210
216.136.227.166-167

Finding Out How A Program Gets Through HTTP Proxy
Here's one technique I use to find out what needs to be blocked. I
used this to track down what Yahoo Messenger was connecting to, so I
could set up access rules to block it.

1. Use a user account that doesn't have a lot of traffic, or is set up
just for this test. This is so you can easily see what is being
accessed in your testing.
2. Enable proxy authentication. This is so that the user account you
are testing with shows up in the logs.
3. Set up an Allow All URL access rule at the top of the rules list,
with Source = the NDS user account you are testing with. Enable rule
logging.
4. Connect to the web site/service. (For Yahoo Messenger, try to login.)
5. Check the Access Rule logs for the last 30 minutes or so to see
what was allowed, find the test user account, double-click on it, and
look at the URL's.
6. Set up a Deny URL rule right above the Allow URL for the test user,
enable logging on it, and enter a URL to deny. Wildcards are allowed.
7. Test again. If the Deny rule worked, you will see that in the
Access Rule logs. If the login worked, the software may have tried a
second option you also have to deny, or your Deny rule may have the
wrong syntax. Also, when the access rules deny a site, you should see,
in the Proxy Console screen on the BorderManager server, an immediate
increase in the "Failed" statistic.