Hi,

I need to block some websites and torrents on my LAN running on mostly WIndows XP pcs and a Windows 2008 domain controller. It's possible to block some sites using DNS in Windows Domain controller, but users have the rights to change DNS and bypass the rule.
Editing HOSTS file doesn't work
Then I tried using Avast antivirus Site Block feature, but that doesn't work on any browser except Mozilla. We have to use Epic and Mozilla Firefox.
We can't use a dedicated hardware firewall due to budget constraints and the fact that we have multiple ADSL lines for internet. No single gateway.
Similarly can't use proxy either.

Is there any other way of blocking the sites by means of a free software ?

Possibly...and (possibly) even free: use the firewall feature of the ADSL modems.

Alternatively, of course it's just a suggestion: reconfigure the network to use one modem/gateway and set up an obsolete box with a Linux firewall. But, I like that kinda options...

And, even more alternatively, and far nastier, is : the Internet policy. Set one up, have everyone sign it, set up a sniffer on the LAN and fire anyone that calls up such-and-such site...
Apart from the actual firing, it's an option...

But...I'd rewire the LAN for one gateway and set up a box to filter out...

Luck

Thor

Firewall feature is missing in modems. And we have 10+ modems
And that Policy thing will not work here. Too many things against it. I think something like DNS poisoning on LAN for specific sites can work, but couldn't find anything on how to do it on LAN without screwing up traffic. Last time I tried it using Ettercap, internet access for everybody slowed down to a crawl.

Restrict the users from changing DNS.
Why not?
Give the users less privileges.

Kind regards

If it was possible to not to give users that privilege, I'd not have asked the question here. The thign was working quite well before I was forced to give users that right. Also not all users can login to domain. Some softwares don't work on a domain account.

Oooh boy, this reminds me of a job I once had. The salesreps that could buttkiss (pardon the word, please) the best had the most privz, leaving me (the admin) in charge of security and hanging out to dry if it went sour.

Okay, look, as far as I can see, whatever you'll implement, you'll have to break down for one or other kiss-up.

Where does the management stand in this? You may hate me for this (really, go ahead do hate me) but...when you've got the management either against you or itself with the back against the wall, you might as well get a bucket and mop to clean up...

So, where did that come from? The management? Well, my point exactly...some of them are milking the cow...

(sorry for my rants, but it's exactly that sorta situation that made me happy not to be in pro-IT anymore - I'll happily edit out my rants if I offended...)

...good luck man, I sympathise, though that does'nt butter yar bread...

Thor

I'd run a free virtual machine then route all traffic to a virtualized firewall distro.

A hosts file does work. The only way I know to not get that to work is to use a proxy.pac file. In that case you set the blocked sites in that proxy.pac file.

You also need to limit ports. No one on a corporate lan needs to run a torrent. Too risky.

Only option that I've left with is using HOSTS file. But blocking all the major torrent and misc download sites using this method is nearly impossible. Actually you can't even block torrent downloads if the users bring torrent files from outside.
Another thing that I've done is to force more users to login to domain and run the software requiring admin rights using "runas" command using a bat file.