ARTICLE: Limited Browsing (Internet Explorer Lockdown)

Microsoft Internet Explorer, MSIE or IE as it is popularly known, is the largest used and most commonly used browser. Embedding a browser to an operating system has been successful for a software giant like Microsoft. No wonder why most website designs and back-end code are geared toward better functionality and display in IE and not cross-browser friendly. This has been the trend for quite a while now. And while condoning it does not really solve the issue, for now let us accept the fact that IE is here to stay.

This article will not delve into criticisms of IE or its flaws. But instead, will tackle how to block access to certain websites. If you ask your system administrator about blocking a certain site, more often than not you will be told that is hard to do, even impossible. Read on as we share to you the trick on how to get it done.

For all intents and purposes, blocking access to a certain website takes into account basic knowledge of internet protocol, or IP (TCP/IP), and domain name system, or DNS. Before going deeper into the tips and tricks let us understand the underlying principles behind IP and DNS.

Internet Protocol (or IP) as defined by Wikipedia:

The Internet Protocol (IP) is a data-oriented protocol used for communicating data across a packet-switched internetwork.
IP is a network layer protocol in the internet protocol suite and is encapsulated in a data link layer protocol (e.g., Ethernet). As a lower layer protocol, IP provides the service of communicable unique global addressing amongst computers. This implies that the data link layer need not provide this service. Ethernet provides globally unique addresses except it is not globally communicable (i.e., two arbitrarily chosen Ethernet devices will only be able to communicate if they are on the same bus).

To keep the definition short, IP is an established protocol for data communication. It does the communication by packet encapsulation of datagrams in a manner very much similar to how mails get delivered -- with an address. For mails it is a shipping address or mail stop address while for IP it is an IP address -- a unique set of numbers that identify a certain member of a network.

On the other hand, based on Wikipedia's definition, DNS is:
The domain name system (DNS) stores and associates many types of information with domain names, but most importantly, it translates domain names (computer hostnames) to IP addresses. It also lists mail exchange servers accepting e-mail for each domain. In providing a worldwide keyword-based redirection service, DNS is an essential component of contemporary Internet use.

From the above, the most important function of DNS in browsing is to translate a fully qualified domain name (FQDN) to its appropriate IP address. Given those knowledge and brief definitions, it is time to discuss the tricks behind blocking websites.

Loopback Redirect. In fact, blocking a website can be a very easy thing to do. Given the knowledge of IP and DNS from the previous page, it is easy to trick the browser. What do we mean by this? The below example will illustrate the point better.

First of all, close all Internet Explorer browsers that are open. Launch a Windows Explorer window and try finding the file "hosts" (location: %WINDIR%\system32\drivers\etc). Try to create a new line to the end of the file and add this line:

Now, open an Internet Explorer window. Try to browse Microsoft's website: "". Are you able to browse the website?

The above example is one of the many ways to block a website from access by the local computer. What this trick does is to point the DNS entry of the website to the loopback IP, which is your local machine's IP. This trick is one of the many ways to block access to a certain website. However, if you wish to block a number of sites, the process could be tedious. Imagine trying to block more than a million sites on a bunch of computers to administer. What a task that would be!

Domain Blocking. In order to limit the browsing of a machine to a domain or two only, the system administrator does not have to block the whole DNS realm of the internet using the above method. There is a simpler way to accomplish the same goal.

The main gist of the tweak is to trick the browser to point to a bogus proxy (and port) -- one that does not exist. And for intranet sites, configure the browser to bypass the bogus proxy.

WARNING: Before proceeding, bear in mind that the procedure is destructive and can render the "guinea pig" computer browser-less, if not executed with caution.
* Open the Group Policy Object Editor. This can be done via Start --> Run... --> "gpedit.msc" (without quotes).
* On the group policy editor, browse to User Configuration --> Windows Settings --> Internet Explorer Maintenance --> Connection. A similar window like the one shown below should be open.

* Open the Proxy Settings Tab by double clicking on it. The Proxy Settings window will open. Tick all the boxes to Enable proxy settings, Use the same proxy server for all addresses and Do not use proxy server for local (intranet) addresses (see below). For the Address of proxy, key in an unused IP Address and a bogus port. For the Exceptions box, key in all the site resource URLs that the machine is allowed browsing access to. For multiple values, separate each value with a semi-colon.

* In order to make the policy changes permanent, restrict access to the Connection Tab of Internet Explorer. Browse to: User Configuration --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel (see below). Open the Disable the Connections page by double clicking it. The Properties page will open showing the current configuration.

* By default the Disable the Connections page is set to Not Configured. Set this to Enabled and click OK.

Close the Group Policy Object Editor. The changes made will manifest without requiring a reboot of the machine.

With the lockdown in place, try browsing your favorite websites. Most certainly when trying to access an external site, you are likely to get this:

Now, try browsing the intranet sites for the domain that was configured to bypass the proxy. The website should be accessed like before. Revisit the procedure if the website does not work.

You might also be interested in:


We at pimp-my-rig strive to keep on improving, help us reach that goal by leaving comments or constructive criticisms. Don't miss out on our next feature -- subscribe via RSS (What is RSS?).

Share This