how to force the use of a web proxy?

[James Wilkinson]

Jamie C. Pole wrote:
> Configure your firewall to accept outbound http/https requests only from the 
> proxy server.  If the users try to change their proxy settings, the firewall 
> will block their attempts.  That will not stop the users from accessing web 
> servers on "creative" ports, but it's a good start.

This depends...

On many networks, what Internet access users want can be split into four
categories:

 * e-mail

 * Web access

 * stuff that can be tunnelled through a web proxy (including anonymous
   FTP)

 * stuff that needs approval from the Powers That Be.

In this case, you can configure the firewall to block *everything*, in
and out, by default. Then you open holes for DNS, e-mail (presumably to
and from your internal server only), web access (just from the proxy to
the commonly used web ports), FTP, and anything else necessary.

Stuff that gets approval gets holes cut just for that purpose and from
appropriate PCs: PCs without a need for this can be set up *without* a
default gateway -- that way they don't show up in firewall logs.

This does mean that users who want to access web servers on creative
ports have to ask for help. 

Of course, all of this is political. In my experience this can be
introduced without complaint when the network is first set up -- later
you may well get rumblings of discontent.

James.

-- 
E-mail:     james@ | WARNING:  Pressing CTRL+ALT+DEL again will restart your
aprilcottage.co.uk | computer.  Then again, what won't?  You will lose unsaved
                   | information, and even supposedly saved information, in
                   | any case.                              -- David P. Murphy