Category for this? website blocking via firewall, UAC for program...

[thezman007]

Mods please move to appropriate sub-forum...

Hi guys,

First of all, thanks for being here These forums helped me figure out a BSOD problem in the past. Here is my dilemma:

A friend of mine is a manager for an auto garage in town. His employees need a computer to log their hours and do training modules over the Internet. The problem is that the employees waste a lot of time on YouTube. I suggested he block the site using the "hosts file method". After doing so he says they can google something, then access YouTube via the search results. I don't know how this is possible, I propose to:

- Install Comodo firewall to block YouTube
- Make his employees use an account w/o admin priviledges so they cannot change this.
- Problem solved, right?

The only problem I see is that my friend claims that one of the programs they use requires admin rights... So if they put in the password when it's requested from their non-admin account to get those rights for that program, don't they now have the password to get into the admin account and change things?

So my questions are:
- Is there a way to elevate the privileges of only that program so the employees never need to know the password?
- Should Comodo be installed by the admin?
- Is this the best solution or do you have a better one?

I usually run Linux so I am a bit out of my element here. I expect to go in on Sunday to fix this up for him so that the changes "just happened" and no one can really complain Thanks in advance

 

[Gator]

He can simply block the sites in his router settings, usually signing into it with something like 192.168.1.2 or something similar, it should be on the back of the router with the login information. He can block keywords and whole websites.

You can also look at this:
How To Use Parental Controls in Windows 7

 

[thezman007]

I hadn't thought of the router settings.. thanks! I will try that first

 

[andrew129260]

You can also look into open dns

 

[Alejandro85]

The only problem I see is that my friend claims that one of the programs they use requires admin rights

This is THE real problem. Your solution is very good in fact, but having someone with admin privileges lets him basically lift any measures you may take in that computer. In my experience, actually very few programs REALLY require administrator rights. Often this is an indication of poorly made software. Maybe an update to a more recent, Win7 compilant version is available? Is there support from the developers to somehow relax that requirement?

Is there a way to elevate the privileges of only that program so the employees never need to know the password?

There are a few tricks where you can create a shortcut that don't emits an UAC prompt for password, abusing task scheduler to that end. Look here:
http://www.sevenforums.com/tutorials/193743-elevated-program-shortcut-create-standard-user.html

Problem with that is that method creates huge security holes, that knowledgeable people will exploit, gaining admin rights again and defeating the whole purpose of the standard account.
Even then, having a program with elevated permissions may still expose substantial risks, according to what the program does, as it might be able to launch other, arbitrary programs. Open/SaveAs dialogs are a trivial example of such an exploit.

Should Comodo be installed by the admin?

Yes, always. Installing programs system-wide always requires administrator permissions. This is a one-time requirement, however. Change it's configuration always requires admin, and again, it's done only once.
Windows 7 also has a built-in firewall that can serve well for this purpose, without the need of external programs.

Is this the best solution or do you have a better one?

I think it's a very good option, both the hosts and the firewall, but having an administrator in the computer defeats both of them. Remove that requirement and this approach becomes an excellent one. You might also go ahead anyway and hope that they don't figure how to bypass that, if they're not much tech-savvy.

An alternative approach could be to setup the firewall up in the network. If the router/modem/whatever has a built-in firewall, it may be used to block everything that passes though it, and since the control is done outside each terminal, users are free to have admin rights. You may use a "server" computer to do this job too, if the router don't supports it, acting as a proxy that all others use to connect to internet.