Domain Controller, DNS Server and OpenDNS - Block 1 user?

Question

We have a domain controller (Windows Server 2008R2) which is also our DNS server. The DNS server has a forwarder that points to OpenDNS (www.opendns.org).

All of our workstations (Windows XP Pro) are configured to point to our local DNS server. I don't want to keep blocking individual websites for all users as it's getting a bit messy.

Ideally, I would like to allow pretty much all websites (except a few of the categories in OpenDNS, for security reasons) and then if/when management decide a user is taking liberties I would be able to block their internet access for X days.

Is this possible with Active Directory? Maybe something in the users profile?

I realise that there is a lot of debate about whether these kind of issues are technical or managerial. I am trying to allow more access to all of our staff but keep the option to temporarily enforce a complete block for individual users. For example, if a user visits Facebook once or twice a day but it makes no impact on their work then it's fine. If, however, a user stays on Facebook all day then I would want to block their internet after a discussion with management and then unblock it a few days later and see if the lesson has been learnt for a while.

Answer 1

I'm a little embarrassed to admit that I've done this before, but the "cheapest" way I've found to do this (assuming the user can't install or otherwise use third-party web browser software) is to use Group Policy to configure Internet Explorer, for the offending user, to use a bogus HTTP / HTTPS proxy server (i.e. an IP / port that doesn't answer-- preferably one that actually rejects the TCP connection attempt). I put "permitted" web sites into the proxy bypass list.

It's a very "cheap" way to do what you're looking for and utterly easy to bypass if the user can install or use third-party browser software.

One "righter" way to do this would be to force outbound HTTP / HTTPS through a proxy server that allows for per-user ACLs. Squid with NTLM authentication can do this with no software licensing cost and can provide a fairly nice transparent authentication experience for domain-joined Windows machines accessing web sites through it.