Limiting access on shared workstations

ITKnowledge Exchange member "r76ijecx" had a question about how to control access to certain Web sites on the client machines in an Internet café; read how fellow techies helped.

ITKnowledge Exchange member "r76ijecx" had a question about how to control access to certain Web sites on the client machines in an Internet café; read how fellow techies helped. Read the rest of the thread.

Want to join in on a similar conversation? Register for ITKnowledge Exchange and fill out your profile so you can ask specific sets of people your IT questions and also help out your fellow geeks. Anyone can read answers already provided to questions, but only registered ITKnowledge Exchange members can ask questions or add to threads.

ITKnowledge Exchange member "r76ijecx" asked:
I am going to set up an Internet café soon, but I'm not sure whether it's going to be client/server-based or peer-to-peer.

I'm wondering whether I can restrict access to certain Web sites and also restrict users from installing their own choice of software on the client machines.

The answer to both of your questions is yes.

What OS you use for your clients would dictate how you do it, though. If you use a Microsoft Windows-based client, you can add all of the clients to a single domain/Active Directory and then use Group Policy to restrict what the client accounts can do. I've worked for many large companies that limit workstations in such ways. If you're looking at a Unix/Linux-based client, most have the ability to configure PAM (Pluggable Authentication Module) to restrict administrative access to certain accounts.

As for restricting access to certain Web sites, check out Websense. It's a product that can filter Web-based traffic and can block access to single sites, a range of sites or groups of sites rated by categories. Of course, there are many other products on the market, including open source products, that would do the same thing; Websense is just the leader in that space.


I would suggest setting up a small client/server network and customer/client computers/accounts with guest access (if you use Windows 2000 or XP), making sure that only read access to the file system is enabled. I would also suggest shutting the machines down at night or at closing time with the systems set to clear the swap file and cache upon shutdown. If you use one network to serve both customer and internal (business-side) computers, I strongly suggest either subnetting the business (and denying access to business subnets from café clients) or implementing a VLAN (if your router/switch supports such a feature).

Set your firewall (hardware-based, preferably) with an appropriate ACL, so that unwanted traffic does not enter (and just as importantly, leave) the network.

Deploy a personal firewall (Sygate, Zone Alarm, Tiny, Black Ice, whatever) on each workstation for added security (many/most can be obtained for free), and make sure that you utilize some sort of antivirus software on EACH COMPUTER on the network.

Websense (as suggested above) is an excellent choice, or you can install a parental control program such as Net Nanny to achieve similar results.


In the computer world the answer is always yes. The real question is: How much am I going to have to spend to accomplish what I am after?

On any Windows 2000 or XP machine, if the user is not an administrator they cannot install software. You can even be more specific in the policy that allows the user only to use Internet Explorer and not have a Start menu so they can't browse the computer and do anything stupid. You can take away all the shortcut keys so they can't open up Windows Explorer and so on.

At any rate you can use a software like Websense or Surfcontrol. They all work well and have an annual fee so the software keeps up to date with new Web sites and categorizing them. It can be very useful to run reports and see where people go.

If you, on the other hand, were only trying to block a handful of sites, I would recommend a cute little trick of adding a custom host file to the PC. Every site you want blocked won't really be blocked, but rather redirected to another Web site. So, let's say you don't want anyone going to I would add with a different IP address, maybe Google's IP address so would go to Google. Websense and similar programs work on this same basis; they generally send the user to a custom-blocked Internet Web address page.

Because these workstations would be part of your business, a thin client desktop is perfect (the user can't mess up the PC, so you don't deal with as many PC problems), and Websense would cover all your bases.


If all you are doing is creating a cybercafé, in which all the users do is access the Internet, then the answer is simple: Get a Server with Windows 2003. Then add Terminal Services. Next get dumb terminals, where you only have the basics, as they don't have an independent hard drive. If you are truly going to have only Internet access, then you can lock it down with Terminal Services to just a desktop and shortcut to IE. You can create general users, specifically for your café: ICuser1 with a password like 1r3suCI, which I'm sure you can figure out, but hard for others to remember. Keep it simple, with nothing extra for users to play with, and you'll be okay.

This was last published in June 2005

Dig Deeper on Network Administration

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.