Heres one that may be of use to someone out there..
A client had the need to ensure that a specific PC could only access specific websites during working hours, but could access any website during lunchtimes or after working hours.
They didn’t want to spend a fortune on software or additional boxes, so we looked at a way to do this with windows and a little configuration.
As it turns out, it is possible, if a little fiddly. It’s not a high security method of doing this – there are a few ways a user with non-admin privileges may be able to bypass this, but doing so would require a fair bit of effort and demonstrate a clear breach of company policy. So as with any of these things, always have an acceptable computer usage policy in your employees contracts. If they have admin privilege bypassing this would be relatively trivial.
First:
Turn on Windows Content Advisor. This isn’t on by default any more, and can be enabled via group policy – either locally or at the domain level.
To do it at the local level, run gpedit.msc on the workstation. Navigate to User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Content Page
Edit ‘Show Content Advisor Page on Internet Options’ and turn it on.
Run ‘gpupdate’ on the local pc, or reboot.
Next go into control panel, internet options, content. You now have an enable button for content advisor. Turn it on and set a password.
Browse to one or two of the sites that you want to allow. When prompted, be sure to select ‘Always allow this web site to be viewed’ and enter the password. You’ll probably also need to enter a local or domain admin password if prompted by UAC.
Once thats done, the PC will only be allowed to access those sites.
Next is turning it off and on.
This can be achieved by creating a couple of batch files with the following commands:
To turn off (we’ll call it turnon.bat):
reg add hklmsoftwaremicrosoftwindowscurrentversionPoliciesRatings.Default /v enabled /t REG_DWORD /d 1 /f
to turn on: (turnoff.bat)
reg add hklmsoftwaremicrosoftwindowscurrentversionPoliciesRatings.Default /v enabled /t REG_DWORD /d 0 /f
Save your batch files somewhere outside of the users profile. Let’s not make it too easy to bypass!
Run task scheduler as an administrator (important that, or you’ll porobably get problems saving your tasks)
Setup a schedule to run the batch files at the times required.
Make sure to do the following bits on your task to avoid problems:
1. Give it the credentials of an account with admin privileges on the local PC. Best to avoid a domain one…
2. Make sure the ‘run with highest privileges’ is ticked.
3. Make sure ‘run whether user is logged on or not’ is ticked.
4. Fill in the ‘start in’ box for where your batch files are located, or windows will not be able to locate them outside of system folders.
That’s pretty much it. It’s hardly elegant, but this way you can restrict users access to the web during working hours, but turn it back on for lunch breaks etc.