I'm having a bit of a problem here and need to know if it's possible to lock specific websites so that they can not be accessed on this computer.  I'm running Internet Explorer.

Thanks,
Clint

Tools, options, security, restricted sites, add in a site.

You'll have to figure out on your own how to stop the person in question from following the same steps to undo what you just did.

Quoted: Tools, options, security, restricted sites, add in a site. You'll have to figure out on your own how to stop the person in question from following the same steps to undo what you just did.

Close.  Restricted sites don't block access.  They set the security settings for those sites, such as cookies and Active X controls.

Log on as an Admin.
In IE, Click on Tool>Internet Options.
On the contents tab, click on "enable" under content advisor.  On the approved sites tab, type in the URL you do NOT want them to access, and place it in the "never" category.  Place a "*.*" (minus the quotes) as an allowed URL.  Set you Language, Nudity, Violence options (if desired).  On the general tab, choose the option that allows people to view non rated sites.
Set your password.  Unless someone knows the password they can't change your setting very easily. (unless you are running something like XP with system restore, and the other party has admin rights).

Also, your router may have options to block websites. We had a netgear wireless router that let you ban websites specifically. It would show a page saying that the website was restricted.

Will that work if you have two browsers?  If it's blocked in IE, would it be blocked in Mozilla?



It's an IE specific setting.  It will not port over to another browser.

The easiest way is to setup the url of the site you want to block in the host file with a local loopback address.

www.mvps.org/winhelp2002/hosts.htm

In windows there is really no effective way to limit anyone from doing anything, anyone with any reasonable computer skills will get around it.

Quoted: Also, your router may have options to block websites. We had a netgear wireless router that let you ban websites specifically. It would show a page saying that the website was restricted.

The hardest part about blocking websites via URL in the browser window, or through a router, is that if the user can type the IP address for access.  So, if you specify the URL, but you can type the IP address into the URL, you can still bypass the filter.  However, if you ban it specifically by IP address, a DNS change could end up undoing all you blocked.  Also, certain proxies can be used to bypass the filters.

Quoted: The easiest way is to setup the url of the site you want to block in the host file with a local loopback address.

Not necessarily anymore.  Latest versions of windows automatically use DNS before host files for name resolution.  If your machine make a DNS querry, and recieves a response from a DNS server, prior to making the host file lookup then a hostfile entry does no good.  There are some registry entries you can make to have the machine force a host file lookup before DNS querry, but I don't know it off the top of my head.

navigate to C:\WINDOWS\system32\drivers\etc

open the "hosts" file with notepad

add a line that reads:

168.142.226.43  www.ar15.com

save the file and close out.

What will happen there is that any page in the ar15.com domain will open 168.142.226.43, which is Yahoo.

You can add any website and IP in there that you want.

Evil tricks can be played this way too

Quoted: Quoted: The easiest way is to setup the url of the site you want to block in the host file with a local loopback address. Not necessarily anymore.  Latest versions of windows automatically use DNS before host files for name resolution.  If your machine make a DNS querry, and recieves a response from a DNS server, prior to making the host file lookup then a hostfile entry does no good.  There are some registry entries you can make to have the machine force a host file lookup before DNS querry, but I don't know it off the top of my head.

Doesn't the DNS Client have to be running to do that? I've yet to see a website that wasn't successfully blocked with a host file entry.

Quoted: Quoted: Quoted: The easiest way is to setup the url of the site you want to block in the host file with a local loopback address. Not necessarily anymore.  Latest versions of windows automatically use DNS before host files for name resolution.  If your machine make a DNS querry, and recieves a response from a DNS server, prior to making the host file lookup then a hostfile entry does no good.  There are some registry entries you can make to have the machine force a host file lookup before DNS querry, but I don't know it off the top of my head. Doesn't the DNS Client have to be running to do that? I've yet to see a website that wasn't successfully blocked with a host file entry.

By default, Win 2K and XP machines want to use DNS.  If they are DHCP clients, then their DNS server can be set dynamically.  This includes home machines on dialup/cable/dsl who use DHCP to configure the IP.  Even if you use a router, it will still set the DNS automatically.

There are other problems, such as if you use a proxy server.  Proxy clients don't perform their own name resolution.  They submit the request directly to the proxy server, and they don't even querry their own DNS server directly.  If you place a host file entry on a system that is a proxy client, it will never check a DNS server, DNS cahced entry, or host file for name resolution.  It leaves all that up to a proxy.  At least in standard proxy/ISA configurations.

The ability to use a host file to block websites, or to misdirect web querries, is pretty much limited.  You need to be running a machine that querries host files before DNS, is not a proxy client, doesn't have the entry in the DNS cache (can be cleared by rebooting or running ipconfig /flushdns), and is a non proxy client.

Also, if you disable DNS querries, the only hosts you can see are those that are in a hosts file, lmhosts file or resolved via broadcasts/WINS.  Try disabling your dns clinet in Computer management.  Then flush your DNS cache.  Then try to resolve an internet host, specifically one you haven't used before.

Quoted: Also, if you disable DNS querries, the only hosts you can see are those that are in a hosts file, lmhosts file or resolved via broadcasts/WINS.  Try disabling your dns clinet in Computer management.  Then flush your DNS cache.  Then try to resolve an internet host, specifically one you haven't used before.

My DNS Client is disabled in WinXP Pro SP2 and I'm not part of a domain. I have not found a website that I can't successfully block with a host file entry nor access one that is not blocked.  

Quoted: Quoted: Also, if you disable DNS querries, the only hosts you can see are those that are in a hosts file, lmhosts file or resolved via broadcasts/WINS.  Try disabling your dns clinet in Computer management.  Then flush your DNS cache.  Then try to resolve an internet host, specifically one you haven't used before. My DNS Client is disabled in WinXP Pro SP2 and I'm not part of a domain. I have not found a website that I can't successfully block with a host file entry nor access one that is not blocked.

+1

I've never had a problem with a host file edit.

I can tell from Joe_Blacke's post that he knows WAY more about this than I do, but the host file trick works for me.

If you DNS client is disabled, and you do not have the name resolution information in a host file, then how could you possibly resolve internet hosts?  Internet hosts NEED a FQDN (Fully qualified domain name).  That is why we use the .com, .net, .edu, etc.  In order to resolve it, you need a resolution method.  For a FQDN name, the only two methods are via DNS, or a host file.  LMhosts, netbios broadcasts, and WINS won't work for internet host.  They are based of a flat naming structure.

Now, it is possible that your machines will querry a hosts file prior to performing a DNS lookup.  If your host file querry fails, then outside of DNS, you have no way to resolve internet hostnames.

Go to a command prompt, and type:  NSLOOKUP  
What happens?


I'll try and do some research on registry settings for hostname resolution order.  There is a certain configuration that determines if you use DNS prior to Host files.  Microsoft security seminars have been beating this topic for a while.  Previous versions used hosts files prior to DNS, but would still use DNS if the entry was not found in the host file.  Microsoft said that by XP SP2 it was supposed to be changed so that DNS would be the preferred resolution method.  It would "theoretically" help speed up the resolution process as most people only have a loopback address in the host file, and querrying it is unecessary.

Quoted: If you DNS client is disabled, and you do not have the name resolution information in a host file, then how could you possibly resolve internet hosts?  Internet hosts NEED a FQDN (Fully qualified domain name).  That is why we use the .com, .net, .edu, etc.  In order to resolve it, you need a resolution method.  For a FQDN name, the only two methods are via DNS, or a host file.  LMhosts, netbios broadcasts, and WINS won't work for internet host.  They are based of a flat naming structure. Now, it is possible that your machines will querry a hosts file prior to performing a DNS lookup.  If your host file querry fails, then outside of DNS, you have no way to resolve internet hostnames. Go to a command prompt, and type:  NSLOOKUP   What happens?

I was under the impression that all NT/XP machines query the hosts file prior to a DNS look up...if there's an entry in the hosts file it goes there. If not, then DNS.

Quoted: I was under the impression that all NT/XP machines query the hosts file prior to a DNS look up...if there's an entry in the hosts file it goes there. If not, then DNS.

Back in the NT, and 2000 days, this was the case.  About 2 years ago, the MS security summit I attended said that MS was supposed to be changing it.

Here is the reg key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider

Quoted: The easiest way is to setup the url of the site you want to block in the host file with a local loopback address. www.mvps.org/winhelp2002/hosts.htm

I stopped my girlfriend's teenage daughter from going to "forbidden" sites by redirecting them all to my mom's geneaology page.

I just did a quick test on another system (I can't use mine as it is uses a special build). I disabled DNS client service, cleared the cache, and entered a host file entry for cnn.com with the wrong IP address.  I then did a ping and received an "unknown host" error message.  I then re-enabled DNS client, performed an NSlookup, and resolved properly.  A second Ping showed that it was attempting to ping the correct address, and ignored the wrong setting in the host file.  I know for a fact, that at least this machine performs DNS lookups before host files.  However, it all depends on the registry setting for your preferred order.

Quoted: ...I know for a fact, that at least this machine performs DNS lookups before host files.

That would be very, very strange.

Quoted: Go to a command prompt, and type:  NSLOOKUP   What happens?

The default server/address points to the first of three dns entries of my ISP.

The default server is you dns server.  That means you are still using DNS for name resolution.  NS stands for "name server".  You can also run an IPCONFIG /all to see your dns servers.

The local host file gets preloaded in the dns resolver cache and reloaded if the host file is updated.


How DNS query works

As shown in the initial steps of the query process, a DNS domain name is used in a program on the local computer. The request is then passed to the DNS Client service for resolution using locally cached information. If the queried name can be resolved, the query is answered and the process is completed.

The local resolver cache can include name information obtained from two possible sources:
•

If a Hosts file is configured locally, any host name-to-address mappings from that file are preloaded into the cache when the DNS Client service is started.
•

Resource records obtained in answered responses from previous DNS queries are added to the cache and kept for a period of time.

If the query does not match an entry in the cache, the resolution process continues with the client querying a DNS server to resolve the name.