Blocking all internet but not email?

dazmower

Member
Joined
Nov 5, 2007
Messages
27
Howsit guys,

I need a good way to block all internet traffic but to enable email.

Not all PC's, just certain.

I'd guess the best option would be to do it on the ADSL router, block port 80 for IP range between ..., I am strugglinh to do so on my routers.

just bought a planet ADE-3400 and I have a EDIMAX something.

All users will be on XP Pro, SP2 or SP3,

I used to do it via MMC, inserting policies etc but I see this doesn't really work so well anymore.
Currently I have blocked everything with a fake DNS server address but this is easy to get around.

I can create user accounts with passwords and do something like these sites say:

http://www.christianblog.com/blog/a...access-in-windows-for-specific-user-accounts/
http://community.spiceworks.com/how_to/show/1440

but will a dummy DNS or Proxy address allow email?

So options:
1) Router which I am struggling with
2) User - then change access - but how and what? I even don't mind deleting IE and not letting them install anything?
3) or both as I wouldn't mind keeping games and anything private from being installed on the PC's

While I'm doing this, any way to disable USB keys but not USB printers? sick of viruses!!!

One of our guys is pretty good with PC's so I must be a little smart

cheers
 

Other Pineapple Smurf

Honorary Master
Joined
Jun 21, 2008
Messages
14,594
Firstly what OS are you using?

EDIT: PS, I'm actually interested in the response as I need to do the same for my daughters new laptop latter this year.
 

ponder

Honorary Master
Joined
Jan 22, 2005
Messages
91,063
You need to identify which ports your email server/client are using.

You can start with
POP3 - port 110
IMAP - port 143
SMTP - port 25
HTTP - port 80
Secure SMTP (SSMTP) - port 465
Secure IMAP (IMAP4-SSL) - port 585
IMAP4 over SSL (IMAPS) - port 993
Secure POP3 (SSL-POP) - port 995
 

ITCynic

Expert Member
Joined
Jul 18, 2007
Messages
1,544
Have a look a Smoothwall Express. Can do exactly what you want ..... and more.

One of my clients has it configured that all websites are blocked, except for sites he needs for his business to function, with 1 workstation (his) to have no restrictions.
Staff productivity has improved as less time is wasted on "research".

If you are in Cape Town, PM me your details and I can arrange a demo of the product for you.
 

stricken

Expert Member
Joined
Sep 5, 2010
Messages
2,265
close all outgoing ports on the firewall except POP3 - port 110. IMAP - port 143. SMTP - port 25

these are the mail ports.

then lock them out of admin account.

although its technically possible to proxy http traffic over these ports, i doubt they are that level.
 

Other Pineapple Smurf

Honorary Master
Joined
Jun 21, 2008
Messages
14,594
close all outgoing ports on the firewall except POP3 - port 110. IMAP - port 143. SMTP - port 25

these are the mail ports.

then lock them out of admin account.

although its technically possible to proxy http traffic over these ports, i doubt they are that level.

Is there an Microsoft application (Trusted) that can open/close the other ports with a password? I live in the LINUX world and can easily write a script for this but Windows7 is a new domain for me. Wonder if its possible with Powershell.

(Sorry, not trying to hijack this thread but just asking questions that might also be of value to OP)
 

dazmower

Member
Joined
Nov 5, 2007
Messages
27
All PC's are running XP Pro,

there are only about 10PC's, only 4 will have complete internet freedom, the others absolutely no internet at all so I'm not too phased by controlling certain sites etc.

mmm I'm actually liking the idea of user accounts and and blocking their rights, this way I can remove all the standard games and keep them from stuffing around.

We are placing some pc's in the factory and places where the guys will have nobody watching them.

So firewall option sounds good, is there any other way I can block these ports (basically only port 80).

I'm trying to stay away from having a dedicated PC simply for this cause.
this 'gpedit.msc' seems to havesome nice options for rights.

I'm in JHB,

thanks
 
Last edited:

dazmower

Member
Joined
Nov 5, 2007
Messages
27
smoothwall looks good as well, I guess I can use an old PC for this task. it will serve as the gateway - giving/denying access as well as increasing security
 

Bismuth

Expert Member
Joined
Jun 22, 2007
Messages
3,747
All PC's are running XP Pro,

there are only about 10PC's, only 4 will have complete internet freedom, the others absolutely no internet at all so I'm not too phased by controlling certain sites etc.

mmm I'm actually liking the idea of user accounts and and blocking their rights, this way I can remove all the standard games and keep them from stuffing around.

We are placing some pc's in the factory and places where the guys will have nobody watching them.

So firewall option sounds good, is there any other way I can block these ports (basically only port 80).

I'm trying to stay away from having a dedicated PC simply for this cause.
this 'gpedit.msc' seems to havesome nice options for rights.

I'm in JHB,

thanks

Heh, the previous placed I worked at did this, but the PCs had unrestricted internet access. After a week, they had no internet access, due to abuse and virus infections. They even removed the optical drives and USB ports eventually, the abuse was so bad. Even had to restrict the relevant user accounts to have read-only access to the a document server (mine) hard drive, as they kept messing around with the folders and breaking things.

B
 

Venomous

Honorary Master
Joined
Oct 6, 2010
Messages
54,770
it's possible to run the firewall (well the ones I know of) on really small PCs. So if you have a functional P4. So if there is an unused one lying around that would be your best bet in the long term.
All PC's are running XP Pro,

there are only about 10PC's, only 4 will have complete internet freedom, the others absolutely no internet at all so I'm not too phased by controlling certain sites etc.

mmm I'm actually liking the idea of user accounts and and blocking their rights, this way I can remove all the standard games and keep them from stuffing around.

We are placing some pc's in the factory and places where the guys will have nobody watching them.

So firewall option sounds good, is there any other way I can block these ports (basically only port 80).

I'm trying to stay away from having a dedicated PC simply for this cause.
this 'gpedit.msc' seems to havesome nice options for rights.

I'm in JHB,

thanks
 

dazmower

Member
Joined
Nov 5, 2007
Messages
27
Heh, the previous placed I worked at did this, but the PCs had unrestricted internet access. After a week, they had no internet access, due to abuse and virus infections. They even removed the optical drives and USB ports eventually, the abuse was so bad. Even had to restrict the relevant user accounts to have read-only access to the a document server (mine) hard drive, as they kept messing around with the folders and breaking things.

B


well thats exactly that, we gave it to our production manager and within hours was surfing porn so we cut it completely, problem now is we are giving them email,

thanks for all the help so far,

cheers
 

AstroTurf

Lucky Shot
Joined
May 13, 2010
Messages
28,912
smoothwall looks good as well, I guess I can use an old PC for this task. it will serve as the gateway - giving/denying access as well as increasing security

IPCop will do the same (and much much more) if you have a spare pc of just about any specs (could be a P1), and it is free.
 

dazmower

Member
Joined
Nov 5, 2007
Messages
27
Ok cool,

I think I will go with a user account without rights, will change network settings, program settings, maybe even remove IE completely together with all the games etc. This should do me fine until I can get another PC going to purely do this for me,

thanks for the replies guys
 

passive

Active Member
Joined
Jan 29, 2010
Messages
79
use mmc edit local policy for proxy and add 127.0.0.1 to proxy (if you are using IE)
 
Top