I am looking for a web browser solution in the Linux environment to provide controlled access to one or two domains. This is for a factory/warehouse implementation. The machines will be used to access shipping information and email or report to headquarters.

An optimal solution would have limits based on user id or role. The machine should boot up to the browser with limits.

I don't need to know all the gory details about how to do it right now. I just need to know that it is feasible and what combination of products it would take. I am looking at this as a better alternative to a Windows/Citrix/and other junk solution.

Assuming there is a solution, does anyone have any idea of how complex this is to do?

Thanks.

sounds like a real simple squid proxy, something that a dedicated firewall distro like ipcop could easily handle for you with its default builtin squid server. you could run it transparently and authenticate on a per ip address basis, but if you can define how the users and machines work, e.g. will the same machine be used by different people for different functions?

More details:

there will probably only be two or three roles (administrator, power-user, worker-bee

the machines are located in geographically dispersed locations with normally no overlap of usage. In other words, under normal circumstances a machine would be dedicated to one role.

It would be optimal, since there will be only one active machine per location, if a machine could allow more than one role. This would allow a visiting administrator or power-user to use the machine.

ok, so are you looking for a central solution? a solution that is on each machine that the browser is using? If you are using a centralised point of internet access then again i'd refer back to ipcop, with the advproxy addon http://www.advproxy.net. you could also deploy this in each location, but it would require a seperate machine on each site (unless you ran a vmware instance on the single machine which is feasible but not what you really wanti'm sure) which, if it's only serving one machine anyway seems odd at best.

Now, outside of this i am not sure how you would achieve user based authentication to restrict access to certain sites iwth no additional machine. you can certainly run squid and authenticate on it when you are telling a browser to go directly to a proxy, but what's stopping a user disabling that proxy and just going direct to the internet? an iptables rule can intercept port 80 requests, but those requests will come from squid too anyway.... I'm\ rambling now, probably worth ignoring all that.

OK, so what if you don't want squid... could you not simply restrict the visible UI of the browser they are given to use? if they can only go to a homepage which is a menu, and have no access to other parts of the browser then would that be all you'd want as an assurance they can not go elsewhere? i'm sure there will be firefox extensions for this for example.

Thanks for your suggestion. After searching I found the Opera browser has a Kiosk mode designed to allow you to limit the domains which can be seen. It also has an ability to display a site in full screen mode with no buttons or tool bars. This will handle the problem. Google Opera Kiosk mode for more information on how to.

Thanks.

well there are kiosk modes for all browsers afaik, nothing special about opera's implementation i'd have thought.