Can "hosts" file be locked?

Can the “hosts” file in WIN7/system32/drivers be locked and the computer still work?

My nephew is in the habit of looking at some particular porn sites and his mom asked about parental control software. I suggested she put those sites in the hosts file so the computer can’t connect to them. But her kid is pretty computer savvy, so he might know how to go in and remove them.

If the file were locked with a program like Kruptos, using a password, would the computer still be able to access it and use it normally? I’m afraid to just try it for fear that the computer won’t run and I won’t be able to undo it.

The hosts file can only be modified by a user with administrator privileges, so you could remove admin privileges from the boy’s account.

I’m actually not sure how the computer would respond if you locked the hosts file. I suspect that it will either cause all DNS searches to fail, or it will just ignore the error and will continue the DNS search in the normal fashion. Since programs like Kruptos lock the file for read access as well, this will in effect disable the hosts file, which completely defeats the purpose of what you are trying to do.

Using admin/user privileges is probably the way to go.

If the kid is accessing web sites that he’s been told not to go to, why is he still allowed to use the computer? There are some very simple non-technical solutions for this problem as well. “Oh. I see you’ve been doing things on the computer that we told you not to do. No computer access for you for a week.”

He can still find the IP address and use that instead of the URL. Readable names are only a convenience.

Oh, I totally agree that the little twerp ought to have his computer privileges revoked, but try telling that to my sister. She’s not exactly running a tight ship over there.

It does look like the admin access is the way to go. I’m not even sure he has admin access.

What’s wrong with your initial suggestion - parental control software? I haven’t had to install anything like this myself but I assume there are decent apps that prevent getting at a lot of adult imagery and that are designed with somewhat determined, intelligent kids in mind so they can’t just ctrl-alt-del to shut them down. That’s probably a simpler solution than having your sister futzing around with HOSTS and the like.

Not all IPs point to a single domain name. You can have a ton of domains on an IP, and it requires the domain name to get to the right home folder.

Well, I’d be the one futzing around in her files. I was thinking of the host file because I’d read that too many of the software programs can be defeated easily, and that the host file tactic was harder to beat. I think I’m telling her to just get the software.

they using a router? (cable modem) - block them there - set a different pasword on it that the kid can’t have.

alternately - if tits that big a deal - add a router and do that.

golf clap

What a pointless exercise!
Has anyone ever successfully kept a teenage boy from finding porn?

You’d do much better sitting the kid down and explaining to him:

  1. This upsets your mother, so either use a different computer or hide your tracks better; and
  2. Porn is made-up stuff to attract viewers; real men & women don’t treat each other that way.
    So if you want to ever actually have sex, don’t plan it like porn flicks show – instead, look at romantic ‘chick flicks’ for useful lessons.

That’s not how the Internet works. While you can have a lot of name addresses pointing to the same IP address, they will all show the same web page.

After all, that is the point of host lookup. Once your computer looks up the IP address, it just connects to that IP address. The remote site has no idea what name address your computer used to find the IP address. (Barring using various tricks.)

Note that subfolders might be designed differently for each domain, but you can always add the right subfolder to the initial IP address to access the right one exactly as if you had the original name address.

I second putting the block in the router.

True. Possibly still get-roundable with enough savvy, if hosts is locked. Anyway, the big porn sites are major operations and will probably have their own IP addresses. In the interests of science I just tried the technique with one of them and it worked fine.

No, the post was right. Google “host headers”

You send to the specific IP address, but your data packet from the browser essentially says “please send me bustymamas.com - This website is for sale! - bustymamas Resources and Information.”. Based on the website name in the http request packet, you get that website of the many hosted on the one IP address. If you put in the IP address “Please send me http:/123.123.123.5/default.htm” You will likely get the web pages for “we-host-websites.com

We’re close enough to running out of IP addresses; it’s worse if every website needed a distinct IP address.

Also, if he’s too clever (or is nice to his geeky classmate) he will find out about proxy VPN’s and similar tricks (remote desktop sessions) to bypass any attempt to block specific sites or addresses. Use IE parental controls, and he’ll download Chrome, or Firefox, or Firefox-on-a-USB-stick.

Attempting to block it in the router is the most effective way, but if he knows how to reset the router to factory default 9and doesn’t need a password for the internet service) there goes that idea.

User privilege to make the HOSTS file read-only to him might work until he figures out how to boot with the CD that allows him to change the admin password in the local database or some such trick.

OTOH, think of it as an opportunity to motivate him to learn about technology. He’ll thank you when he’s 25 and making 6 figures as a network tech; maybe he’ll email you his favourite links too.

another vote for blocking at the router if you must.

I have a slightly different POV (I have 15 y/o twin boys, I have two dogs in this fight)

There is no substitute for supervision, ever. I have seen plenty of computers turned into an annoying mess by “net nanny” type software.

I actually run Spector on my sons machines

http://www.spectorsoft.com/

there is no filtering, the rules are clear. They are unaware of the presence of the software. Mom and I know how to look up the logs and such. if they quickly close a window when one of us approaches all we have to do is note the time and check later.

That way, we can take a look occasionally, if infractions are noted, computer use is restricted. If nothing inappropriate pops up, life goes on.

one other option for keeping tabs depending on browser, for example you can lock IE’s ability to clear its history with a registry edit.

I can think of a fairly low-tech solution to this problem. It’s a two parter.

  1. Physically move the computer to the living room or family room. People don’t surf for porn in common rooms where their parents might be watching tv; they do that behind their bedroom’s closed door.
    B. Password the computer and only the parents can know the password. Which means Junior can’t get on the computer unless a parent logs on for them. And if the parents shut it down for the night, it’s going to stay down until they turn it back on.

This was more or less my take.

Porn is pretty much everywhere now and as Canute demonstrated, you can’t hold back the tide. What you can do is educate.

Do you have any idea how many porn sites are available? This will become a war of escalation where you end up making it a full time job to maintain the “block” list of individual sites.

I have a 15-year-old boy and at some point you’re just going to lose the control battle and have to shift to “open communication” mode.

Not necessarily. That assumes the http server hosting the site is only hosting that site on that IP. There are many more DNS names than there are IP addresses in the world. (Well, IPv4 addresses, anyway). Web servers can host multiple sites at a single IP address and manage the traffic by looking at the host header name passed by the browser. But that fails if you try to use an IP address in the browser.

ETA: Er… as explained already in post 14, which corrected post 12’s wrong idea.