Hello all,

I have a question regarding Win XP. Is there a way to either disable Internet explorer or disable the clear history function in internet explorer? We seem to have a couple of employees that surf the net and we have heard from another employee that they have had up some questionable sites(porn). We have a policy that states internet use is for company business only (we are not in the porn biz), so we need to either disable IE or be able to track the history. We seem to have one or two people that seem to clear their history each day.

Thanks
Bob

Hey Bob... Your question has killed site traffic today!! ;) I don't think you will get many answers as i'm sure a lot of guys are accessing from work.

IE is part of windows, I wouldn't recomend trying to remove it... What you can do is setup your corp routers firewall to block some of the PCs from accessing the internet. It's real easy with a Dlink or Linksys router, you just need to know IP addresses.

The better solution would be to set up a proxy server and have all computers access the internet through it. A proxy server can block/limit certain web sites. It will also log what sites are being accessed and from what IP addresses.

A good open source one is "Squid Web Proxy Cache". http://www.squid-cache.org/

It comes with most Linux distributions.

Just trying to avoid a lawsuit. One woman walked by and caught a glimpse of porn. She was cool about it but I have a couple of other women that it would be a problem for. Since they clear the history, I have no proof.

Thanks again,

Bob

call and ask a local school how they do it.

Sometimes the bests policy is a written policy of business websites only no sports/porn/gambling/forums/chat rooms/or private email on a company machine. If the policy is abused then you will be terminated. All internet use and email is monitored. Post it and have users sign a legal agreement that they understand the policy.

Setting up a proxy is the best technical answer/solution.

call and ask a local school how they do it.

They don't... As a parent I have to sign a waver that my kid won't surf questionable material on school computers and I agree if they do I won't hold the school responsible... Same at public library's if they issue a card to someone under 18.

Just trying to avoid a lawsuit. One woman walked by and caught a glimpse of porn. She was cool about it but I have a couple of other women that it would be a problem for. Since they clear the history, I have no proof.

Thanks again,

Bob

Get started on a code of business conduct and have an annual review. Make it clear what the company doesn't allow and what is at stake. Also cover proper protocal to resolve issues that arrise. Any workplace lawsuits that come up will be a lot harder to justify the company is at fault if the complaintant didn't follow defined protocol so the company could work at a resolution. Mgnt has to be willing to inforce the rules if it's going to work though...

Hey, there is even a content advisor in IE <tools><internet options><content> that lets you block stuff...

You have a couple options here:

Depending on what router you have to the Internet, it may support WCCP. WCCP would allow transparent interception of the client traffic, and would foward it to a cache device. You have several options with WCCP, and explicit proxy (as noted above). If you enable a proxy, you can block all out-bound web traffic at the router, and only allow the proxy device to access the internet.

Cisco offers the Wide Area Application Engine, which is an appliance that allows for web caching as well as URL filtering. There are a couple options when it comes to URL filtering..

1) You can define a list of the only sites you allow (called a white list)
2) You can define a list of the only sites you want to block (called a black list)
3) You can run a function on the WAE such as WebSense or SmartFilter which are commercial grade URL filtering products. They offer additional control such as instant messenger and peer to peer filtering, as well as streaming media controls (streaming media uses ports other than 80 for web traffic).

Depending on how many users you are looking to filter, you can tie it into your authentication scheme, so, execs are not filtered, other users are filtered.

Because you are based in California, you are subject to additional laws which do not apply to other states.

1) If the female employee decides to file a harassment suit, the company is liable.
2) If she decides to file a harassment suit, the manager of the offending employee is also liable.

I would suggest that even if you can't prove that the employee is surfing in-appropriate sites, his manager approach him to confront him on this. If she decides to persue this, she has 2 targets right now. And if other employees know that this is happening, it only helps her case.

I'd make sure that the employees know the corporate policy (did they have to sign anything?) Consider investing in a filtering product, or, at the very least, install a cache product that supports transaction logging (to prove who is accessing the sites), and also talk with the employee to make sure she is not offended, and that she understands that the company is making efforts to prevent this from happening in the future.

It seems to me that if she filed a complaint, the offending employee could be subject to dismissal.

-Ted

Why not just counsel the employees that are surfing inappropriate sites?

They don't... As a parent I have to sign a waver that my kid won't surf questionable material on school computers and I agree if they do I won't hold the school responsible... Same at public library's if they issue a card to someone under 18.
they do here through an internet security like norton

Aren't there programs that will send a list of visiting sites and time on those site to one main computer. I recall my brother-in-law having something like that in their home. They would be emailed a list of where their children went on the web.

Please do not take away my surfing time on Team Camaro. It is all I have to look forward to when the alarm clock goes off in the morning. DSL is great for the company, it cuts my surfing time way down.

You can also run a search on their Content.IE5 folder (if it still exists in XP). Cached porn can reside there even though someone has cleared their history, cookies, and temporary internet files.

Webwasher URL Filtering - http://www.cyberguard.com/products/webwasher/webwasher_products/url_filter/index.html?lang=de_EN

There are many other programs like SurfControl and Igear that do the same.

I Admin school networks, we use Surf Control for filtering email and net...This is expensive $NZ 13000 . I have to have a 100% nil access.. since Feb 2001 we have had 3 incidences, one was acidental to do with site maskarading as a dragonballz site, anothe similar with disney site, the other a legit hacked site.
Bit over board for a small business thu.

There are several approaches u can do depending on bugets and network size.

As mentioned above run thru a proxy server...any small business (10 users up)with net access should be set up like this regardless. Log momitoring server maintence IP blocking/filtering is an on going expense
The following Alternatives are used to ZAP those abusing the system.
The server will also be able to set permissions on what users can do and not do on local workstations.
Eg disable access tools on IE, right click..even the 'run' on the start menu.
Another alternative is to get a prog like Tweaknow. This canbe installed on each work station, in there one can also change what ppl have access to in windows eg delete history, change settings to clear history/files, and not give access to hidden/system files. TweakNOW can have a admin pw.
Or u can phsically make changes to the reg files (this is what tweakNow does except graphically) Then as admin login on the machine run a reg file to change back and check the machine...u need some who knows their way around windows to do this.
It still can be done, but the user will certainly have to have advanced knowlegde to do it.

Althu a user may delete files, even format/ckdisk a harddrive, there are inexpensive progs that will revover these pics, documents/files. eg a prog Recover my files.

What business purpose does it serve for you to allow them access to the Internet?

Hell, you could just disable DNS on the workstations in question if there is no legitimate business use for the Internet.

Thanks to everyone for the great information and ideas. I have spent the last several hours looking into some options.

CFunk - They need access to the internet for emailing salespeople, looking up MSDS sheets and product information.

We run a Dlink router and I got into it and tried some URL filtering with words like sex, jobs, espn, girls and camaro for a test. It filtered out www.espn.com and camaros.net. Not exactly what I was looking for. I then tried to block some URL's and that seemed to work a bit better, but it sure seems like a PITA, but so are lawsuits.

As for counseling the offenders....That is a bit difficult without actual proof and without pitting the one employee against another. I had my office manager go through our employee manual to see if we had an internet policy. She found an addendum from 2 years ago, but it was not signed by anyone. This weekend I will redo out internet policy and hand it out on Monday morning. I will require them to sign it and give it back to me.
I am still looking for ways to monitor/restrict what is being looked at.

Thanks All,

Bob

Because you are in California, you will probably have to inform your employees that you will be monitoring their Internet access as part of the policy compliance. That way, they understand that you will be watching their activities, and anything you put in place will then be legal.


-Ted

Hello all,

I have a question regarding Win XP. Is there a way to either disable Internet explorer or disable the clear history function in internet explorer? Thanks
Bob

Hi Bob..
answer is YES..
1) If no one needs to "surf the internet" you can block port 80 at the firewall. you can even block for specific workstations only.. very simple rule.
2) Internet Proxys and Firewall logging is the best practice for businesses who need to control Internet access.
3) If you can't spend the money to have a centralized logging or a site blocking solution, you can disable parts of, or the entire INTERNET OPTIONS menu from Internet Explorer. This would deter users from easily deleting web cache and cookies.

Locking down IE, is done via Microsoft Security Policies.
If your network has a MS-Domain, you can setup Domain Policies (GPO's).
If not, each machine has it's own set of security policies you can enable, but that can be tedious to set and track..

PM me if you're interested in the specific commands on any of these options..

There is free software available that will block out the porn sites...just do a search on www.download.com.
I have tested some of the programs on there and they work great. This should allow them to go to any of the sites you mentioned, but keep them out of the questionable ones.
I think this would be the cheapest and easiest route for you to go...and all the policy stuff the other guys mentioned is good too.

Gambitt

You can block all the web pages you want, but that still is not going to eliminate a picture being emailed to someone. I have been walking by peoples desk and seen plenty of pictures and videos, all of which have come through email. Some of these emails just have links which would be blocked but others are attached in the body of the emails. I would guess that most people are not sitting their searching for porn, but it is possible.

Keep in mind that the cheaper routers, like the DLinks and Linksys ones will do some content filtering, but they are often very limited to the number of words you can add. Some of the Linksys routers let you put in like 4 words, and some of the Dlinks limit you to like 10 words. Hardly enough to get a comprehensive list. Also, the content filters on these routers only block the page if the word is in the URL itself. There are many sites that a filter such as this won't block. Also, you'll be at it for years trying to input every possible porn site in if you're blocking by URL.

I've been looking for an inexpensive filter myself for my sister's kid's computers. I handle some very complex (read expensive) ones for the all the companies I've worked for or work with, and it's easy to let the cost get away. Since my sister lives in another city, I quickly tossed on a parental control filter I found online and seems to do ok for now until I can come up with a better solution. I got it from http://www.freeshield.com and it works fairly well for a large portion of the sites I could think of. I'm not going to install a proxy server or a Checkpoint firewall just for a couple kids :) Another thing, since their little network is wireless, and they live in an apartment, there are other unsecure wireless networks close enough that they can connect to (when they get smart enough to figure it out) which would bypass any firewalls or proxies I could put in. A software solution is about the best bet at that point without totally locking down their computers to where they can't do anything.

Attachments in emailed can be blocked, but that is a little more complicated.

Attachments in emailed can be blocked,
Assuming u have your own mail server like exchange, it is a simple setting to limit attach types, size, who can have them...or set thru active directory.

Any policy should not permit use of net/email for private use...At the end of the day unauthorised use of bandwidth (paid for by the company) is theft. Time spent in unauthorised use is no different to skiving off somewhere to have a unauthorised coffee break and is not fair on those who do a honest days work and find themselves 'covering' work loads, waiting for delayed paperwork, increasing their stress/workloads.

We had a teacher couple yrs ago..."overloaded with paperwork, having to take more home" class assessments below ave increases etc...There was no apparent reason.
Without knowing the problem existed but looking way a particular month had an excessive BW blowout, I ran logs to find users time/usage/where etc over a 6 month period ti ID trends. Presto...3 teachers, this one in particular was spending an ave of 3 hrs/working day on the net. Source of the mangerial problem solved.

There is another very real danger re porn/underground sites...worms /network infection. Espec if updates are not run, virus scanners not updated, regular Admin scans of machines.
The 1st and formost function of IT is data security, 2nd network stablity. TOO OFTEN these areas are overlooked either by network admins full of BS when things go wrong or lack of regular maintaince budget by the company.
Too often small companies do not realise data/ network compromised...company stops functioning, customers go elsewhere, and fixing is more expensive than prevention in cost and time.
A small office network in NZ about 120 workstations/users maintainance budget about $NZ2000 to $4000.
1 instance of network/data coruption to fix anything from $2000 to $10,000.

In the "Start" menu, select "Run". Then type "regedit", then enter. Click on "HKEY_CURRENT_USER", then the Software folder. Next click on "Microsoft", followed by "Internet Explorer". Finally, click on "Typed URLs". You'll find your answer there. Clearing history won't remove this tracking. Damn those Microsoft folks!!

Bill

I am in the process of doing a "Ground Up Restoration" of my policies and procedures for my small business. A good friend of mine that I have known for over 24 years just started a small business consulting company. He is currently an HR manager for a auto dealership with about 300 employees, but he sees a huge need for small businesses to have access to the same professional and legal help that bigger companies do.
He is putting together all of our P&P, including internet access, etc. I would be happy to give you what I get back or, if you're interested, I can get you hooked up to him. California law is vert tricky when it comes to what you can and can't tell an employee what to do and, if they do it, what you can and can't do based on what policies you have in place.
anyway, if interested let me know.