Couple options....
1. Find out what port s/he is plugged into on the 3560. Being a Layer 3 switch, you can apply a Layer 3 ACL directly to the port they live on (see below). Switch(config)# access-list 101 deny tcp any any eq 80 Switch(config)# access-list 101 permit ip any any Switch(config)# interface fastEthernet0/1 Switch(config-if)# ip access-group 101 in 2. Deny them on the PIX (see below). PIX(config)# access-list INSIDE_ACCESS_OUT deny tcp host 1.1.1.1 any eq 80 PIX(config)# access-list INSIDE_ACCESS_OUT permit ip any any PIX(config)# access-group INSIDE_ACCESS_OUT in interface <name of interface> HTH, Aaron Rohyans IT Coordinator, IDC-USA [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 317.244.8307 (V) 317.244.4600 (F) ________________________________ From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 01, 2008 2:54 PM To: NT System Admin Issues Subject: RE: Need to take away internet access for a user.. However, this sounds like a management issue, not an IT issue. Unfortunately, you'll find yourself stuck in the middle... again. Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _____ From: Chyka, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 01, 2008 2:49 PM To: NT System Admin Issues Subject: Need to take away internet access for a user.. We have a windows 2003 domain and a Cisco infrastructure at a small site (Pix 515, Cisco 3560s). what is the easiest way to take away internet access for a workstation? Is there anything I can do at the pix. Ie.block port 80 traffic for a certain ip etc.? The user is savvy....at first I added a fake proxy setting in IE, but they found it. Management doesn't want to tell them straight out yet.... Thanks for any help.. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
