Windows Server - Locking down a browser / HOSTS file

Asked By corn2 on 02-Mar-12 03:48 PM

Hello:

I have a requirement to lock down the internet browser.  Locking down means=
preventing the browser from going to sites.  Yes, an ACL on the router cou=
ld do such a thing but the requirement states the control must be deployed =
on the same host as the browser.  With that said, The way I am thinking to l=
ock down the browser and meet all the requirements is to put entries in the=
Windows HOSTS file to block an IP. =20

Yes, I know entries in the HOSTS file can affect system performance.  MS re=
commends a HOSTS file that is less than 135K as well.

Unfortunately, all the IPs I have to block make the file larger than that l=
imit.  Is it possible to put an IP range or subnet in the HOSTS file then? =
That would limit the number of limes for each and every IP address and bri=
ng the file size down to a more recommended level!!!

Thanks!

Virus Guy replied to corn2 on 02-Mar-12 05:58 PM

Which OS are you talking about?

XP?  Vista?  Seven?  Windows 9x/me?


So your want it so that there is no web-browsing possible at all on this
computer.  In that case, it is probably possible to remove all links to
Internet Exploiter from the desktop and all start menus, and even to
rename the IE executable file so that it cannot be invoked by the user.


Only when the system is using the DNS service, which by and large there
really is no reason for that service to be running on the typical
NT-based OS these days.


Because they assume you are running the DNS service - which you do not
have to, and for which I disable on any XP systems I administer or
setup.

Again, if the goal is that there is no web browsing to be done on the
machine, then you can achieve that by

1) not installing any web browser on the system (firefox, opera, etc)

2) removing all links to Internet Exploiter.  This includes desktop
links, start-menu links, etc.

3) rename the IE program executable so that it cannot be run via the
start-run method.

David H. Lipman replied to Virus Guy on 02-Mar-12 06:12 PM

Add ...
* Limited User Accounts w/o administrative rights

* Implementation of Group Policies

I do not think you can eliminate web browsing but IE can be locked down.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Access over 40 UI widgets with everything from interactive menus to rich charts.