Lesson 3: Restricting Access to Content on the Internet

Some organizations restrict Internet access based not only on users and computers, but also on the content of the Internet resources. Restrictions may be required for

  • Denying access to specific domains on the Internet
  • Preventing the download of harmful Web content
  • Restricting what types of content can be downloaded from the Internet

If you employ these strategies, you will also require a way to ensure that your employees can't bypass or modify the required settings.

After this lesson, you will be able to

  • Develop strategies for blocking access to unauthorized sites and content on the Internet

Estimated lesson time: 30 minutes

Preventing Access to Specific Web Sites

Once you've granted access to a specific protocol, you might wish to restrict access based on the Web site's host. For example, your organization's Internet acceptable use policy may not permit access to an Internet gaming site. You configure Web site restrictions by defining domain filters in Proxy Server 2.0. Domain filters block all access to Web sites and Internet resources that are located within the blocked domains. For example, Figure 15.16 shows a domain filter list that prohibits access to any resources in the hansonbrothers.tld Internet domain.

click to view at full size.

Figure 15.16 Using domain filters to block access to specific URLs

This domain filter blocks access to any resource within the hansonbrothers.tld domain, including first-level hosts such as www.hansonbrothers.tld/ or hosts in child domains such as mail.east.na.hansonbrothers.tld.


All fully qualified domain names (FQDNs) in the domain filter list are converted to IP addresses before they're applied. This ensures that access is prevented to blocked Web sites even if the user attempts to connect to the Web site using the IP address instead of the Universal Resource Locator (URL).

Making the Decision

When designing security for private network users accessing the Internet, you can prevent access to specific Web sites by

  • Identifying Web sites that will always be unauthorized for access. You generally do this by identifying types of Web sites that aren't authorized. For example, access to online casino sites may be restricted in your organization. You can identify the URLs for many well-known casinos.
  • Including the domain names in the domain filter list. By including the domain in the domain filter list, you prevent access to any Web site within the domain.

Applying the Decision

Wide World Importers must configure a domain filter for nwtraders.tld to prevent the Proxy Server from allowing access to any Web sites for nwtraders.tld. The filter will prevent access to any Web site within nwtraders.tld.

Using the Internet Explorer Administration Kit to Preconfigure Settings

The Internet Explorer Administration Kit (IEAK) allows you to preconfigure Internet Explorer settings before deploying Internet Explorer to the desktops in your organization and to update deployments on an ongoing basis.


The IEAK is available for download by going to http://www.microsoft.com and searching for "IEAK."

The IEAK consists of two applications: the Internet Explorer Customization Wizard and the IEAK Profile Manager. The Internet Explorer Customization Wizard allows an administrator to define custom settings for all security settings in Internet Explorer. The IEAK Profile Manager allows modifications to be applied to existing installations by storing the modified configuration settings in a .ins file. Internet Explorer clients will detect the .ins file and apply those settings when Internet Explorer is configured to Automatically Detect Settings.

You can configure the following security related options within the IEAK Customization Wizard:

  • Enable Automatic Configuration. You must enable automatic configuration to allow modified configuration settings to be downloaded from the .ins file created by the IEAK Profile Manager.
  • Proxy Settings. If Proxy Server 2.0 is available on the network, you can preconfigure the proxy settings for Internet Explorer.
  • Define Certification Authorities. Enables the addition or deletion of Certification Authorities (CAs) trusted by Internet Explorer.
  • Define Security Zones. Allows you to define default security settings based on the zone in which a Web site is located.
  • Enable Content Rating. Prevents access to Web sites based on the Content Advisor settings.

Making the Decision

You must consider the following items when planning consistent security configuration of Internet Explorer within an organization:

  • Determine the desired configuration of Internet Explorer. The configuration must ensure that security is maintained by meeting the objectives defined in the organization's Internet acceptable use policy.
  • Define an installation package that applies the standard configuration. Use this installation package to deploy the configured version of Internet Explorer to all desktop computers.
  • Determine how modifications will be deployed. You can use the IEAK Profile Manager to create a .ins file that's automatically downloaded to Internet Explorer clients if the browser has the Automatically Detect Settings setting enabled.
  • Prevent modification of the standard configuration. Use Group Policy to restrict access to the Internet Explorer Properties dialog box for Windows 2000–based computers. If users can't connect to the property pages, they can't modify the standard settings and weaken security.

Applying the Decision

Wide World Importers is currently supporting both Internet Explorer and Netscape Navigator. If Wide World Importers moves to a pure Internet Explorer environment, using the IEAK will reduce the cost of deploying the latest version of Internet Explorer and ensure that consistent security settings are deployed to all computers in the organization. The IEAK will work in the Wide World Importers network because the IEAK supports Windows 95, Windows 98, Windows NT, and Windows 2000 installations.

To ensure that modified settings are deployed to the desktop, use the IEAK Profile Manager to create a modified .ins file and post it on an accessible share on the network. If Internet Explorer is configured to autodetect Proxy settings, the .ins file will be read from the network location and used to apply any modifications to the Internet Explorer configuration.

Managing Content Downloads

Internet Explorer allows you to use security zones to manage what content can be downloaded from Web sites. Each security zone is configured with a security setting that defines what content can be downloaded from Web sites in the security zone.

The predefined security zones that are included with Internet Explorer are

  • My Computer. Includes all resources stored on the local computer except for cached Java classes and content in the Temporary Internet Files folder.
  • Local Intranet. Includes all Web resources located on the private network. The local intranet zone will contain all sites that are bypassed by the Proxy Server, all Universal Naming Convention (UNC) names, and URLs that don't have domain extensions, such as http://web.
  • Trusted Sites. A list of all Internet sites that are determined to be trustworthy for downloading content. Typically, this includes business partners and common download sites such as www.microsoft.com/ or http://www.netscape.com/.
  • Restricted Sites. A list of sites that a private network user can view but can't use to download specific forms of content.
  • Internet. All sites on the Internet that aren't included in the Trusted Sites or Restricted Sites zones.


You can't add additional zones to the predefined zones included with Internet Explorer.

For each zone you can define the security settings by associating a security level with each zone. Four security levels are predefined, but you can also define custom settings if the defaults don't meet your organization's security needs. The default security levels include

  • Low. Allows most content to be downloaded and executed without prompting the user. Due to the lack of safeguards, you should apply this setting only to the Local Intranet or Trusted Sites zone.
  • Medium-Low. Allows most content to be downloaded and executed without prompting the user but prompts before downloading signed ActiveX controls and prevents the downloading of unsigned ActiveX controls.
  • Medium. Attempts to download content that's potentially unsafe cause the user to be prompted before the content can be downloaded. This setting is commonly used for the Internet zone because it allows download but provides warning when caution should be applied.
  • High. Disables most Internet Explorer features that introduce risks to the network, including the ability to download Java and ActiveX controls. This setting provides the most security, but it may result in a loss of functionality.

An organization can ensure that correct settings are applied to all Internet Explorer clients by using a mix of the IEAK and Group Policy. The IEAK allows default security settings to be defined for Internet Explorer and allows settings to be modified from a central location by defining configuration (.ins) files. Group Policy allows Windows 2000–based computers to secure Internet Explorer by preventing the display of configuration property pages. If users can't access the property pages, they won't be able to modify the default settings.

Making the Decision

Table 15.7 lists the actions that you must include in your security design to meet common objectives related to preventing harmful Web content from the Internet.

Table 15.7 Designing Content Rules by Internet Zone

To Do the Following
Allow download of safe content from trusted sites

Add all trusted sites to the Trusted Sites zone.

Configure the security settings for the Trusted Sites zone to Medium-Low.

Allow unrestricted access to content on the private network

Ensure that Internet Explorer is configured to bypass the proxy for local intranet access.

Configure the security settings for the Local Intranet zone to either Low or Medium-Low.

Prevent download of harmful content from all Internet sites

Add sites that may contain harmful content to the Restricted Sites zone by adding the URLs to the list of sites.

Configure the security settings for the Restricted Sites zone to High.

Apply security settings that match the Internet acceptable use policy for your organizationDefine custom settings for the security zone where you require the custom settings.
Ensure consistent security settings on all client computers

For all operating systems running Internet Explorer, define the required settings in the IEAK and ensure that all clients use automatic configuration so that the settings are updated whenever required.

For Windows 2000–based computers, define a Group Policy object that restricts access to the Internet Explorer's properties to prevent modification of the security settings.

Applying the Decision

Wide World Importers wants to place restrictions that make it difficult to download software from the Internet. Configuring the Internet zone to use the High security setting prevents the download of most harmful content from the Internet. Combining the High security settings with a deployment of a security template limits users to creating files in their personal folders and common shared files locations. This makes it difficult for a user to download and install unauthorized software from the Internet.


Make sure that the users aren't members of the Power Users group on the local computer, because membership in that group would elevate privileges and allow the users to install software in other locations on the disk.

Preventing Access to Specific Types of Content

Many Web sites contain content that isn't appropriate for business purposes. Con- tent that falls into this category can include nudity, sex, language, and violence.

You can block access to Web sites that contain unauthorized content by using plug-ins that allow content scanning at the Proxy Server. If any inappropriate content is discovered, the Proxy Server won't load the materials and instead inform the user that the content is blocked.


A list of plug-ins for content scanning is available at http://www.microsoft.com/proxy/.

Another method is to use the Internet Explorer Content Advisor in Internet Explorer. The Content Advisor controls which content can be displayed in the browser window by using the Recreational Software Advisory Council on the Internet (RSACi) rating system. RSACi categorizes Internet content into four categories based on language, nudity, sex, and violence. When the Content Advisor is enabled, Internet Explorer scans the Hypertext Markup Language (HTML) source code for RSACi ratings contained in HTML metatags. If the rating is one that's blocked for access, the Web page won't be loaded in the browser window. You must also define what action to take if a site is unrated. If the Content Advisor doesn't find an RSACi metatag, you can choose to either prevent or grant access to the Web site HTML source code.


Deciding whether to block unrated sites is difficult. It isn't compulsory to include RSACi metatags in a Web site. Blocking access to unrated sites may deny access to sites that aren't offensive.

If you use the Content Advisor, you can prevent users from changing the content ratings. You can do this either by locking the Content Advisor settings with a supervisor password or by preventing access to the Content tab in the Internet Explorer Properties dialog box.

Making the Decision

Take the following actions when designing a strategy to block specific types of Internet content:

  • Define your organization's policy on obscene content. The security that you implement to block forms of content must match your organization's Internet acceptable use policy.
  • Define what content must be blocked. Each Internet acceptable use policy will define different levels of filters that must be applied. For some organizations, the filters may block only nudity and sex-related content. Other organizations may include restrictions on vulgar language.
  • Define what action to take when an unrated Web site is accessed. The Content Advisor determines the rating for a Web site by reading HTML metatags in the source data. You can choose to either deny or allow access to unrated Web sites. The decision should match your organization's Internet acceptable use policy.
  • Prevent users from changing content settings. Ensure that the supervisor password for content settings is a password that's difficult for the end users to guess. This ensures that users can't modify settings.
  • Ensure that all settings for Internet Explorer installations are consistent. Use the IEAK to define the required content settings and lock the content settings with a common supervisor password.

Applying the Decision

Wide World Importers wants to prevent employees from connecting to sites that contain pornography and violence. Wide World Importers must enable content ratings for all Internet Explorer clients to ensure consistent application of the restrictions. In the Content Advisor, define restrictions to prevent access to sites that contain nudity, sex, and violence. To ensure that the settings aren't modified by employees, configure the settings using the IEAK so that the required settings are configured as the default settings. The IEAK can also ensure that Internet Explorer clients are configured to autoconfigure settings and will download any modified content settings. Finally, configure Group Policy to prevent access to the Content tab of the Internet Explorer Properties dialog box.

Lesson Summary

Creating restrictions on the content that can be accessed from the Internet ensures that the Internet isn't abused by an organization's employees. You can configure restrictions to block access to specific Web sites or to block access based on a Web site's contents. Additionally, you can use the IEAK to ensure that consistent configuration is applied to all the computers in the organization.

As with most security settings, Group Policy provides added control by restricting user access to certain property pages. By removing the ability to modify configurations, you can ensure that the desired default settings are maintained.

Microsoft Corporation - MCSE Training Kit (Exam 70-220. Designing Microsoft Windows 2000 Network Security)
MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)
ISBN: 0735611343
EAN: 2147483647
Year: 2001
Pages: 172

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net