The only 100% foolproof mechanism would be to block at the PIX all internet-destined traffic originating from that computer.
Any other mechanism - fake proxy settings, blocking only port 80, etc - can be gotten around by a sufficiently savvy end-user. As you found out, if you set a fake proxy the end-user could unset it. The end-user could install an HTTP proxy on his home computer and configure IE to use that, thereby getting around the port 80/443 block. Even if the end-user isn't a local administrator they could install Firefox to a location other than C:\Program Files, getting around any proxy settings enforced via GPO. Chyka, Robert wrote: > We have a windows 2003 domain and a Cisco infrastructure at a small site > (Pix 515, Cisco 3560s). what is the easiest way to take away internet > access for a workstation? Is there anything I can do at the pix. > Ie.block port 80 traffic for a certain ip etc.? > > The user is savvy….at first I added a fake proxy setting in IE, but they > found it. Management doesn’t want to tell them straight out yet…. -- Phil Brutsche [EMAIL PROTECTED] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
