blocking ports won't work. Only default deny. Install a squid box and deny all outgoing traffic except the squid box. Point browsers at squid. Turn on packet mangling so nothing works but http traffic.

Set up a whitelist of web sites they can see. Allow www.google.com. As people complain add the sites they need to see. At first it will be hell, but all of your talky problems will be gone forever.

Set up an approval process. Supply a form on the intranet. If someone needs to get to a site, they fill out form, their boss signs off on it, and forwards to you. Gradually you'll have a whitelist of nothing but work related sites.

No one will be fired for looking at porno again because they can't any more.

This way you know who is looking at what, why, and if some VP says "Why is this site in there?" You can pull the form and give a copy to the vp so they can go ask the manager themselves. This will solve a lot of problems in one fell swoop.

People will bitch and moan but they'll get over it.

Just tell management that it will be hell for a little while but their network will be under control. IMHO this is how you deal with the "power users" that like to exploit your network.

This will keep them from getting dialers from porno sites, shareware trojans, music pirating, etc etc etc. It will solve a crapload of problems related to unauthorized outgoing connections for you.

It won't make you the most popular person in the office but you and your boss will look great to the people that hand out raises XD and your bandwidth usage will drop by 90%.

Special needs people will have a different form to fill out where they authorize you to open a port for their box. If they abuse it, it's their ass.

default allow just doesn't work, neither does just trying to block "bad stuff". It's an endless race against your users. You need to block everything but the "good stuff" and have a document for every site people are accessing. Draconian but very very effective.

-Viz

I'd only allow http://www.ask.com to start, as google itself is spyware.

can u reply to mail please

This method works pretty well for skype. It will work on the sidewinders. you have to make some minor modifications to the regex types in the white paper because of how old squid is on the sidewinders but it will work.
http://www.net-security.org/article.php?id=876

This method kills ICQ too.

Creating Regex rules for instant messenger mime types will also stop several of the clients like msn, yahoo, and aol when combined with blocking the login pages for the messengers. Tons of documentation all over the web for the mime types and uri's to block.

Most people that i have ever seen dont run squid on the sidewinders. Most companies that have the money to go with sidewinder normally go with a seperate proxy server. It should work though... depending on the proxy server appliance. every time sykpe gets blocked and the developers find out how they will change it to work again. It is an on-going battle and will be for a long time.

Squid on the box, squid off the box, it doesn't matter. The methods have proven to be effective at this point.