Need to block access to all but three websites

This seems like an obvious need, but no matter how much I google it, I have yet to find a solution. I am managing a hospital server network consisting of about 50 workstations running XP SP3 with about 50 individual users at the non-administrative level. Certain of the workstations are supposed to be used solely for accessing 3 specific URL's under a generic windows user login. Since other workstations require relatively full internet access, I don't think I can use a server based application to accomplish this restriction. I am looking for a piece of software I can put on each of these workstations that will restrict access to only three designated web addresses. None of the content controls built into IE seem to have this ability.

 

You need to use proper firewall hardware, utilize vlan's, and GPO on the workstations. There are rules written specifically for hospitals, and medical professionals, suggest that you read up on them. Also suggest hiring a consultant that knows how to properly secure with the correct policies, your network, so that it does not get not only you in trouble, but anyone else working on it.

 

I'd google XP Kiosk Mode.. but just off the top of my head, I'd try to put those 3 websites in the host file, then take the DNS server out of the IP config or use 127.0.0.1. I think that would make the machine only see sites listed in the hosts file. On the flip side any smarty that know the IP of a site could by pass this, but not many people do.

This has not been tested by me but sounds reasonable.

http://www.codework-systems.com/products/currentware/browsecontrol/
http://support.microsoft.com/kb/555463

 

Hey, Brownizs, Thanks for the reply. If hiring a consultant was a viable, acceptable option, I would not have bothered to post here. Got to figure this out myself, as cheaply as possible.
The rules you refer to, do you mean the HIPAA regulations for privacy of patient data? I already have that stuff coming out my ears, it's what's driving me to lock down work stations.
The most promising possibility so far: the hospital network is fronted with a Sonicwall TZ210 firewall. It has content filtering built-in. It's possible to build a layered set of filters such that each group of users can be granted access to what is appropriate to their position. That structure can than be tied to the user structure (name and password) of the server Active Directory through LDEAP. Then, when a particular user logs on to a workstation, the Sonicwall grants access only to the websites that are permitted in that users content policy. The tricky part (at least the part I don't understand yet) is how the LDEAP linkage process happens. I can get Sonic wall to help me with that part.

 

Foogoo, I have played with Kiosk mode in the past, but it's to easy to get out of it (simply pressing control/alt/del). I need thing that even a clever user can't get around. Also, kiosk mode only seems to allow one particular website.
What do you mean by "host" file? Where is it located?

I checked out your suggestion of "Browse-Control". It would definitely do everything I need. The problem is the cost. 50 licenses would cost a thousand dollars. As I mentioned above, my best hope at the moment is the Sonicwall.

 

You are going to have to get it figured out, due to the worst thing that you would not want to happen, is to lose your job, due to your facility did not pass an audit. Worst thing to place on a resume, is that you cost your company thousands of dollars in fines, due to you got into something that was way over your head.

You can find consultants, some are right now looking for work, and know this stuff, would probably be cheap. Do not be afraid to go to the bosses and tell them that you got in too far over your head. Just be ready for the stuff to hit the fan.

 

Don't foget to set the DNS to 127.0.0.1.
The hosts file is located at
Windows XP c:\windows\system32\drivers\etc\hosts

You can edit it with notepad, just type the ip hit tab and the domain name your resolving.
173.194.64.147 [tab] google.com
You have to hit the TAB key in between the ip and the name when editing the host file!

To get the IP, you can go to start>run>type CMD Then type ping google.com (website name)

more info
http://accs-net.com/hosts/how_to_use_hosts.html

Like I said a clever user can by pass this if they know what IP address they are looking for. By the way there are ways to disable ctrl-alt-del, and make IE your 'shell' (kiosk) then set one of the three sites as your home page.
But this is a kludge and you may want to heed brownizs warnings.


let me know how it works.

 

foogoo, may work at home, but you have to remember, that there are strict guidelines that a medical facility must stick by, especially with computers and data. Facilities have been shut down and fined hundreds of thousands of dollars, due to not abiding to the rules.

 

Look the poster read your warning, I told him to take it under advisement too. I don't know the rules( hipa or hepa whatever), and I am guessing you don't either, so if this guy works in that field he should know the consequences.

And FYI, I worked at a local hospital and they didn't seems to take things that seriously either. The whole IT dept. was a bunch of good ol' boys that kludged a system together. Then one day one guy decided he needed a raise, when he was told no he quit and the whole 'department' followed him out, figuring the hospital would beg them to come back. That is how I worked at a hospital for a few weeks between jobs.

I've avoid situations where I feel I could do damage if I messed up, if the situation was that important I'd be bonded so the company wouldn't incur a loss.

 

Actually foogoo, I do know the rules regarding HIPAA, due to my job involves working with it all day long, and also helped friends that have run a Physical & Occupational Therapy clinic get through the whole choosing software part. HIPAA is one of those areas, that you do not want to cut corners, and there are specific rules involved when dealing with computer systems, in safeguarding data & access to those systems.

 

The extremely simplified answer is Sonicwall will allow you to put those three users in their own group. Lock down every category and then make 3 exceptions for that group. It works, just ask my staff.

Who is managing the firewall? It might need updates and it's subscription checked.

 

Sorry guys. That is a lot of really interesting feedback that I want to respond to. I am currently on a vacation trip without pc access so I WILL RESPOND AS soon as I get back.

 

Also there is a free firewall called ip cop that has whitelist and blacklists.

 

Appreciate all the feedback. First let me explain the situation a little more. My little hospital is already on a browser-based EMR system that requires a user-based log-in in order to access patient data. That already meets HIPAA requirements and takes a major part of the responsibility off of me. Secondly, in preparation for Meaningful Use Attestation (which I assume is what Brownizs is worried about)the hospital has already had an assessment by a consultant as to what needs to be fixed. That is where my question originated. I have to find the proper compromise between the security requirements of Meaningful Use and the userfriendliness of the system for staff, especially the nurses. Handygal is correct in saying that the Sonicwall firewall I already have has all the necessary capabilities. The problem is, if I take that approach, I have to assign a sonic wall user id and password in addition to Windows, EMR, and in some cases financial operating software password. That is way to much to expect from an already way overloaded nurse who is using multiple computers on the run. Hence the need to find a straightforward way to completely shut down a certain # of the computers while allowing the rest of the computers much greater flexibility based on the content filtering capabilities built into the Sonicwall. The best answer to shutting the computers down is the program suggested by Foogoo: Browse Control. But rather than having to buy licenses for every computer, I only need to buy enough to cover the computers that are only to have access to three specific websites. That is within my budget and as far as I can tell will meet the Meaningful Use Criteria. :wave