Subj : MICROSOFT PROXY SERVER
To   : Jay Fuller
From : Lawrence Garvin
Date : Mon Oct 28 2002 10:03 pm

Jay wrote to All at 22:01 22 Sep:

 JF> Now...these people who currently have access (say...5-6
 JF> administrative staff) have complete access to everything.
 JF>  
 JF> We're trying to allow two or three more employees on, but they
 JF> should have access to only the websites they *need* access to...for
 JF> example, the website they file insurance on.
 JF>  
 JF> I've got hostnames and IP addresses for those allowed sites...  
 JF>  
 JF> how do i control access ?

Jay, I saw a response to you about using another product, but no response 
directly to this question.

The answer is .. as you may well have figured out by now .. you cannot.

MS Proxy Server does not have the capability to restrict access by user 
account. It can restrict by IP network, service, or port. Theoretically you 
could create dual subnets on the same physical LAN, but that's a complex 
solution and has ramifications beyond Proxy Server. It also requires a router 
to be installed on the LAN in order to transport packets between those two 
subnets.

Essentially you'd need to install a second MS Proxy Server, and set the default 
gateway on the restricted desktops to the alternate proxy server -- but even 
that's no guarantee that the users will not 'switch' to the unrestricted proxy 
server.

What you really need to do this is a full-blown firewall, and there are dozens 
to choose from. My personal preference for small networks is the GnatBox 
product (http://www.gta.com). For small networks, the product runs on a 
diskless P133 with 32MB RAM, and supports a web-based configuration interface, 
DHCP, DNS, SMTP Proxy, and a number of other services.

--- 
 * Origin: lawrence@eforest.net | The Enchanted Forest (1:106/6018)

.