Need to Restrict Internet Access in a Workgroup

[TeddyTed]

Hey everyone, I'm looking for a suggestion on following scenario in my client's office.



Workgroup of 13 workstation (11 xp machines , 2 Vista) and 1 Win 2K3 server.
Sonicwall TZ 170 Standard OS
Trend Micro Client / Server Security Suite.
2 Networked Oki printers
Basically, the client would like to completely restrict Internet access for ONLY 4 people in the workgroup. I've though about implementing content filtering, but from what i've seen, it only allows to filter out various category of websites, not block internet access completely.
Is there a way/solution to completely block Internet access for specific PCs in a workgroup without affecting access to other network resources?

Your input is much appreciated.

Regards,
TB

[YeOldeStonecat]

Static IP assignments..and leave the gateway blank. So you'll manually type in the IP address (outside of the DHCP pool), the subnet mask, and your servers IP address for DNS...and leave the gateway entry totally blank.

[TeddyTed]

Thanks for you feed back YOSTC,

So you’re saying this approach would still allow connections to the server for database access as well as virus definition updates being push out from the Trend Micro Security Server ?

[YeOldeStonecat]

Access to all local network resources...yes. The gateway just tells a computer how to get to a different network (such as the Internet).

Now..for your Trend Micro updates...I'm assuming you have a main server which runs centralized antivirus management on your network. If so..yes..it'll still get updates from this local servers mirror. If you're talking about workstations still gettiing updates from Trend Micros internet based public servers..then no.

[TeddyTed]

Well, it is a centralized server but I’m actually using an older box (Win2k SVR -which was previously the DB sever as the Virus Server console.
So basically, the workstations are not looking at the same machine for Database access and virus definition updates. I assume that would be a problem, right ?

[YeOldeStonecat]

Well, it is a centralized server but I’m actually using an older box (Win2k SVR -which was previously the DB sever as the Virus Server console.
So basically, the workstations are not looking at the same machine for Database access and virus definition updates. I assume that would be a problem, right ?

If this antivirus update server is still on your local network...no problem Removing the gateway entry only takes away the ability of the workstations to get to the internet...to "leave" your local area network. Think of the gateway as an onramp to the internet highway for all computers on your network. Without this onramp..they're stuck on your network...can't get out.

[TeddyTed]

Sounds like a plan. I'll give it a go when i get to that office location later on.


Thank for your help.


- TB

[TeddyTed]

YOSTC, I went with your suggestion and all looks well except, now I’m not able to connect to those workstations via remote desktop because they're outside the DHCP scope on the TZ 170. I typically connect to the Antivirus security server and then connect to workstations on the network.
Looks like that's going to be the trade off.

Thanks,

TB

[YeOldeStonecat]

That's not making sense...it's still the same subnet, example..if you Sonicwall is 192.168.1.1, the rest of your network is 192.168.1.xxx.....the workstations getting IP starting at say...192.168.1.100, the server of course static....at something like 192.168.1.10, you don't run DNS on the server..so you can use your Sonicwall for that..192.168.1.1, would also be the gateway. So do these 4x rigs at something outside the DHCP pool..like 192.168.1.20, 192.168.1.21, etc. Subnet mask on all something like 255.255.255.0

[TeddyTed]

My mistake , i just remoted in and tested another one of the machines and it worked fine.

Thanks YOSTC !