Is there a good an inexpensive solution to prevent unauthorized web surfing?

Ok, I already know that there are professional solutions for this, but the high school I help with tech support has a limited budget and very few students to justify a solution like that. While it is true kids only need time to defeat any restrictions, the key is indeed time: students have instructors running around and we only need to catch the perpetrators in the act.

This being a small school, the best solution was the one already in the computers: terminals are windows 98 with IE6, Content Advisor in IE does the job that they need by restricting web surfing to only a few websites, Network support can not be disconnected because they would lose access to the class assignments.

Of course, there was an occasion a teacher was not looking and a student had time to disable the password in Content Advisor, got the day going to unauthorized sites until caught. It takes a little while to disable the password; the simplest way is to disable it in the registry editor.

So, is there a way to prevent the kids from changing the registry or a better free solution to restrict web surfing to specific websites?

Yes, every system can be defeated, but the school only needs a way to make it more frustrating for students to get were they are not supposed to go.

Try the iBoss. It’s a hardware solution that gives you great configurability on what to block and when. The unit isn’t that expensive although there is a nominal monthly service fee ($10?).

How about a local DNS server that will only resolve the approved sites, and “blackhole” everything else? Would that work?

Or maybe some kind of proxy like Squid?

P.S. I think you’d be a lot better off with Windows XP so the kids wouldn’t be running as admins. I know it’s not free to upgrade, but I believe there are pretty steep educational discounts (?).

One other wild guess for you. Can you just remove/rename the regedit executable? I guess maybe they could still run .reg files…

That looks interesting, but even at $90 (plus service) the principal could complain, will see.

Any website with the specifics?

Fun to notice that someone called **MrSquishy ** is promoting that one :wink:

While it is an open source protect and available for Windows, there is some time or difficulty on installing it (their wiki showed a guy who right way said it is not so easy to install, but that once it is, it does the job) and time is something the principal already told me is not willing to pay.

If I was the boss I would do it right away, but unfortunately many corporations over here are still only donating computers with windows 98 licenses only, you go to war with the army you have. They will eventually upgrade, but that will have to wait for next summer at the earliest.

A quick step-by-step for that? or a web site that explains that? I Will search and check that out next week.

Here’s a principle to abide by: if you can sit down at a Win98 computer and enact a particular restriction (deleting regedit, for example), anyone sitting at that computer can un-enact that same restriction (barring extreme cleverness on the part of the access control software which none actually implements because it’s not worth their while: if you cared that much, you’d be using a secure OS, not their software). The trick is to make the restrictions somewhere else, such as on the network itself, that the user doesn’t have control over.

It’s actually very cheap to do this in a pretty bulletproof way, but there is definitely a time investment unless someone on your IT team is a tinkerer of the right sort. But this is a pretty useful thing to learn how to do, so you might consider it worthy of experimenting with at home, in which case you can get it right and then just bring it to work and impress everyone.

Step one: firewall your network. This can be set up for free using something like m0n0wall and a Win95-era PC found in someone’s storage closet. The firewall goes someplace “central” that the students can’t access, and goes between the main school network and the internet. M0n0wall is kind of neat in that the whole thing (your configuration included) can be burned onto a CD that the computer boots from, so no hard drive is even necessary. This firewall should be configured to block all outgoing connections with exceptions for critical school needs (e.g. connections to district servers)* and/or specific computers in secure locations (e.g. some offices), and one last exception: the proxy server.

Step two: set up a proxy server. I can’t particularly recommend a specific piece of software here, but the important part is that you can install this on any computer you want, so long as it’s one the students don’t have control over. This means it can be a windows machine running some point-and-click-to-admin proxy software, or it could be running squid, or whatever you want (it could even be running on the same computer that’s acting as the firewall). Then you configure it with the particular whitelist and/or blacklist and/or time-based rules you want, and it is allowed free access to the internet, but acts as a filter for all requests from the students. If they disable their proxy settings in the browser, they get nothing at all because the firewall blocks them.

This is not an impossible system to defeat, but it is strong enough that defeating it requires real network hacker techniques such as compromising off-limits computers or forging network addresses, both of which are probably serious enough to get you expelled regardless of why you’re doing it.

*Note: one way to get a good feel for what exceptions you need for critical school needs is to set up the firewall such that it does not block anything, but logs everything, then let it run for a week and go through the logs to review all non-HTTP traffic to see what else the school is doing. Even if you think you know all the critical needs, this would be a good sanity check to make sure you didn’t forget anything that’s going to cause a problem when you flip the switch.