I want to block a user from having access to the internet on Windows
XP PRO.  I have looked through the administrative tools, local
security settings, etc.  I thought there was a simple way to go in as
an administrator and pick and choose what programs and files users
have access to. I have done about an hours worth of searching on the
internet, but the few leads I found seem way more complicated than
necessary for something so basic.

An ideal answer would include how to SIMPLY allow or restrict access
to any folders, files, and programs I choose. I would like to do this
WITHIN xp pro (without additional software).  At the minimum I need to
know how to block a specific user from internet access.

I am using XP Pro and have a comcast cable connection.

Thanks for your help.

---

Request for Question Clarification by keystroke-ga on 30 Jul 2006 16:43 PDT

I think I can answer this for you but I would need a quick clarification.

Will the user need network access via computer names? If the user is
going to be limited to have NO network connectivity (except through IP
address) I have an easy solution to your Internet access problem.

Secondly, the way to restrict access to files and folders on the
system is also an easy fix, it will require a second user account that
is non-administrator (for the restricted user to log in as) and you
will have to restrict access to the file you dont wish them to have
access to.

If this is going to be the right information I am happy to post it.

--Keystroke-ga

---

Clarification of Question by etcher-ga on 31 Jul 2006 09:55 PDT

There is no network setup, just a wireless router between my computer
and the cable company's high speed device. (There is no connectivity
between my computer and the computer that uses the router)

UPDate: I went ahead and made a new user account and was able to
figure out how to block the access to firefox and explorer browsers by
blocking the executable files(to firefox and explorer) for that user.

This seems effective but would like to hear your idea if different (or
confirmation if it is the same)  I imagine their are numerous ways to
achieve this so whatever ideas you have would be greatly appreciated.

I don't know if this is considered another question but here goes:  My
ideal answer would include how a user can be given access to a handful
of specific sites and nothing more. (I don't mind using a simple,
inexpensive or free, software program, but would prefer not to)

Thanks for your help

---

Request for Question Clarification by keystroke-ga on 31 Jul 2006 16:18 PDT

Well my way of doing it would be as follows.

Login as the administrator and set the DNS server address to 127.0.0.1

Now let the user log in as the guest account or the restricted
accounts (this prevents the user from having access to the TCP IP
control panel of the network interface I believe). When the user loads
up IE or Firefox they will not be able to resolve any domain names as
their DNS server ip settings will be incorrect and thusly cause
resolution to fail.

If you want them to have access to certain website you can edit the
local HOSTS file (located C:\WINDOWS\system32\drivers\etc\hosts) and
add entries for the website you require the user to have access to.

In my example I have set the following as an entry in the hosts file

127.0.0.1 	xxxtoolbar.com

When I try to access xxxtoolbar.com (a spyware IE toolbar) it resolves
to my local PC and fails to connect. If you wanted to give the user
access to that website you would change 127.0.0.1 to the external IP
address of the domain name and the user would be able to access the
server fine.

If this is the information you required let me know and I'll post it as the answer.

--Keystroke-ga

---

Clarification of Question by etcher-ga on 31 Jul 2006 20:16 PDT

I'm not sure what you mean by having me "set the DNS server address to
127.0.0.1" (I understand the idea - my research on the internet
indicates a loop back to the computer, effectively blocking acess)

First of all I'm not sure how to do this.  I looked for instructions
on the net and wound up at a dialogue  box for Local Area Network. 
The various dialogue boxes are not clear and the DNS seems to be tied
up with the IP setting.  It just appears risky and confusing and not a
typical setting that an average user would be tinkering with.  I would
need more explanation of how to actually go about changing this and
some assurance that this is safe.

Secondly, as the administrator, I still need to have access to the
internet.  When I am looking at the options within the Local Area
Network I see no way of specifying a DNS setting for a specific user.

I called Comcast (my internet provider) to ask them about the wisdom
of changing my DNS.  The rep indicated that the DNS and IP are set (by
Comcast) and that they should not be changed.

I find the second part of your explanation a little less confusing
after opening  up the host file.  But since this solution is tied up
with the first part I need more explanation (on the first part of the
question).  My original request was for a simple solution.  I
understand that may not be possible (in my perception of what is
simple) but I will find this an acceptable answer if I can make it
work.