From: "Gary Britt" 

You could boot up local only without logging in to the domain and get
internet access at every shop I've ever seen.  If the machine is so locked
down that there is no way to create or otherwise boot local only, then one
could boot linux cd or a BartPE type windows CD and get to the internet in
all likelihood.  I guess you could set each machine to not boot from a CD
or floppy in bios, but you'd need to be able to lock down the bios then.

Using hardware and IP address blocking sounds more secure, but a really
sophisticated user could probably figure out how to change their IP
address. Maybe there is a way to prevent that.

Gary

"Hrvoje Mesing"  wrote in
message news:4248156e{at}w3.nls.net...
>
> "Ellen K." 
wrote in message
> news:frie411ubovd2ghdv5f67hdqd2rdcd22vq{at}4ax.com...
> > Not my area of responsibility but I always like to help if I can:
> > We want to restrict the rank-and-file users to a few allowed sites like
> > FedEx and UPS.  In our morning briefing the other day it was stated that
> > everyone would have to have fixed IP addresses to do this (that part I
> > understand, since the restrictions are not to apply to everyone) and we
> > would have to have a proxy server.
> >
> > I actually don't know what a proxy server even is, but the IT director
> > said it's complicated.   So first of all, is it true that we would need
> > a proxy server?   And secondly, if so, is it complicated?
> >
> > Alternatively, is there any other way to do it?  We want to leave people
> > like directors and IT with full internet access.   Most boxes have no
> > external IP address and a dynamic internal one.  The only ones with
> > fixed internal ones are people who pcAW in to their desktop, which for
> > all I know might only be me because when they set up an additional
> > desktop for me recently they left the internal address dynamic and I
> > couldn't get to it.
>
> ---
>
> Hi,
>
> ..also epends on how big are You.
> You could check CSM proxy, or HW proxy BlueCoat (say 800).
> I would say that both can be integrated into Win AD domain (BlueCoat can
for
> sure).
> From there You can enforce GPO_s with which You can granular Internet
Access
> as You wish.
>
> Bye,
>
>
> ---
> M.
>
>

--- BBBS/NT v4.01 Flag-5