Block all websites except 1

[jumpman17]

I'm looking for a way to essentially block the entire internet, except for 1 website. Most methods I have found involve a blacklist, but I need something with a whitelist. Where only listed websites work. Any ideas?

 

[Issac]

Here seems to be some adblock solution... maybe it can work? (Haven't tried it myself)

http://ask.metafilter.com/181363/How-to-implement-Internet-whitelist

 

[jumpman17]

Some further info, this is on Windows 8, and using Chrome. And I'm looking for something where the settings can't be changed by a non-admin account. Basically, my company is going to be giving out lots of laptops to the workers for the sole purpose of going to a single site and entering data while on the job. Currently, I have IE uninstalled and found an extension in Chrome that does what I need, but you can just open the extension and change the whitelist. I'm sure most won't know how to do that, but there may be some. And still, you can plug in a thumbdrive with Firefox Portable and use that.

 

[bobmcjr]

Some further info, this is on Windows 8, and using Chrome. And I'm looking for something where the settings can't be changed by a non-admin account. Basically, my company is going to be giving out lots of laptops to the workers for the sole purpose of going to a single site and entering data while on the job. Currently, I have IE uninstalled and found an extension in Chrome that does what I need, but you can just open the extension and change the whitelist. I'm sure most won't know how to do that, but there may be some. And still, you can plug in a thumbdrive with Firefox Portable and use that.

Find the IP address of that one site, change the DNS's of each computer to something invalid (e.g. 127.0.0.1), and then add the IP address of that one site to the HOSTS file.
Seems like it should work given that shouldn't know of any domains besides the ones in hosts.

Edit: And don't forget to flush the dns cache.

 

[oji]

In Internet Explorer you can define proxy server & exclusions for specific sites. You can set nonexistent proxy & put your site in exclusion. If you want to prohibit changing this behavior, just give to user non-administrative rights to system & configure these settings through GPO (gpedit.msc for WG computer or AD policies for domain). It's also may be useful to enable software execution restrictions in GPO to protect against alternative browsers.

 

[moerik]

Does your router allow parental control settings of some sort? My shitty ISP provided router/modem unit can allow only a certain website after blocking them all, theoretically. Which can also be assigned to each laptop individually after giving them static DCHPs.

 

[nando]

on mac there is parental controls which allows you to make a white list of sites and applications allowed by specific users. windows doesn't have anything like that?

 

[jumpman17]

Find the IP address of that one site, change the DNS's of each computer to something invalid (e.g. 127.0.0.1), and then add the IP address of that one site to the HOSTS file.
Seems like it should work given that shouldn't know of any domains besides the ones in hosts.

Edit: And don't forget to flush the dns cache.

That may work. I'd like to be able to keep the admin account with working internet though.

In Internet Explorer you can define proxy server & exclusions for specific sites. You can set nonexistent proxy & put your site in exclusion. If you want to prohibit changing this behavior, just give to user non-administrative rights to system & configure these settings through GPO (gpedit.msc for WG computer or AD policies for domain). It's also may be useful to enable software execution restrictions in GPO to protect against alternative browsers.

I have to have Chrome though as the site doesn't work in IE because nothing seems to work in IE11. Also, I thought you couldn't change the Host files anymore in Windows 8. And don't you have to be running Windows NT to use GPOs?

Does your router allow parental control settings of some sort? My shitty ISP provided router/modem unit can allow only a certain website after blocking them all, theoretically. Which can also be assigned to each laptop individually after giving them static DCHPs.

They'll be out and about connecting to either families' routers or with a portable hotspot with a data plan.

I found this, and when I do this, it won't let you mess with the extension settings, but it also makes the extension no longer work as it can't "read" the file. Although only setting it to deny write abilities does nothing.
http://superuser.com/questions/665952/how-to-prevent-my-guest-user-from-installing-chrome-extensions

 

[bobmcjr]

That may work. I'd like to be able to keep the admin account with working internet though.

Try these bash scripts for easy setting/resetting:
(Replace and or copy Local Area Connection for as many connections you have, and obviously replace YourOnlySite.com and 255.255.255.255 with your respective site and site's IP address)

To set:

<at symbol>echo off
SET NEWLINE=^& echo.
FIND /C /I "YourOnlySite.com" %WINDIR%\system32\drivers\etc\hosts IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^255.255.255.255 YourOnlySite.com>>%WINDIR%\System32\drivers\etc\hosts
netsh interface ip set dns name="Local Area Connection" static 127.0.0.1 index=1
netsh interface ip set dns name="Local Area Connection" static 127.0.0.1 index=2
ipconfig /flushdns

To reset (hosts shouldn't need to be changed since your site's IP is the same, right?):

<at symbol>echo off
netsh interface ip set dnsservers name="Local Area Connection" source=dhcp
ipconfig /flushdns

 

[FAST6191]

If they are out and about and connecting in does that mean they will have a VPN (and then a proxy on your work network where this sort of thing is trivial to handle)*? If the data is any kind of sensitive (medical, legal and sales are usually an easy pitch for there) then that is probably a good thing. You could probably do something similar with a plain proxy if you want to run one.

The methods from the others will probably work, however hardcoding local IP/hosts/DNS can possibly leave you troubled if the IP suddenly changes/url schemas/subdomains change..... not to mention if your people are in the field for days at a time (conference, because that is what they do, .....).

*if you feel like getting a I R the netwark admin tshirt/some good resume padding you can do something fun with software defined networking if you do not have a decent link at the office.

Only thing I will say is try it on a network that redirects HTTP to a signup screen (a lot of web cafes/hotspots and the like).

 

[oji]

You can use GPOs in any current Windows (i.e. all non 9x) & if you are not in domain just run "gpedit.msc" to edit the local policy. If your site isn't working in IE (have you tried compatibility mode, btw?) you can check this link: http://4sysops.com/archives/group-policy-for-firefox-and-chrome/. But for me the latest IE is most secure & flexible in GPO configuration so it's better for a sandbox environment.

 

[p3rand0r]

i have something called WasteNoTime
Its a chrome extension and it allows only the website you add in your white list , and has some great customizations , cons? its only for your browser if someone adds a new browser it can enter every page its wants :/

 

[jumpman17]

Thanks for all the suggestions guys. After trying some of these things and fiddling around, I found a feature in Windows 8 called Family Safety. If I make the non-admin account a "child" account, I can block all internet sites except for ones on a whitelist. This leaves the admin account with full internet access and the child account can only go to the one website they should be going to.

 

[SlCKB0Y]

Just curious but why are they only allowed to go to one website?

What are the negatives your company sees from giving employees more freedom that have led to this policy.

 

[gudenau]

Add a wildcard to hosts, then the site and it's ip. I think that should work, but you need superuser/admin access.