Need assistance with enforcing internet ACL (when users can install firefox)

[Guest pez]

We control access to the internet though an ISA server (which works

fine). To get to the internet users use a proxy (which is the ISA

server). But some have figured out that if they install firefox by

default it connects them directly to the gateway (bypassing the ISA

box). Because of other applications users need to have local admin

rights so even if I remove firefox, they can just reinstall. Anyone

have any suggestions?

[Guest jwgoerlich@gmail.com]

Re: Need assistance with enforcing internet ACL (when users can install firefox)

 

Can you block the gateway from accepting web (http/https) requests

from client computers?

 

J Wolfgang Goerlich

 

On Oct 12, 2:54 pm, pez <peter.zelo...@gmail.com> wrote:

> We control access to the internet though an ISA server (which works

> fine). To get to the internet users use a proxy (which is the ISA

> server). But some have figured out that if they install firefox by

> default it connects them directly to the gateway (bypassing the ISA

> box). Because of other applications users need to have local admin

> rights so even if I remove firefox, they can just reinstall. Anyone

> have any suggestions?

[Guest Jack Doyle]

Re: Need assistance with enforcing internet ACL (when users can installfirefox)

 

Re: Need assistance with enforcing internet ACL (when users can installfirefox)

 

pez wrote:

> We control access to the internet though an ISA server (which works

> fine). To get to the internet users use a proxy (which is the ISA

> server). But some have figured out that if they install firefox by

> default it connects them directly to the gateway (bypassing the ISA

> box). Because of other applications users need to have local admin

> rights so even if I remove firefox, they can just reinstall. Anyone

> have any suggestions?

 

 

Absolutely. There are a couple of ways that you could handle this.

 

The first would be to find where the proxy settings for Firefox are

stored and make changes to those pro grammatically (registry, etc.)

 

That's not an ideal solution, though, because as soon as you do that

they'll install Opera, then Safari, then something else.

 

The best way to handle this would be to create Access Control Lists on

your gateway itself that only allow the ISA server to access the

internet. You could also add entries for servers, etc. Hopefully you

have them on a different LAN segment so this would be easy to do.

 

This way, you are able to prevent the users from accessing the internet

unless they go through the proxy, regardless of which application they

are using.

 

 

--

 

Jack Doyle, Systems Engineer

ScriptLogic Corporation

http://www.scriptlogic.com