Although I strongly oppose censorship of any kind, the sad reality is that allowing employees to freely surf the Internet is a really bad idea. Casual surfing can lead to malware infections, litigation and increased support costs. As such, it is probably a good idea to put some controls in place to help limit what your users can access over the Internet. In this article, I will discuss some of the risks associated with casual Internet surfing and offer some suggestions on how you can avoid such risks.
Understanding the risks
Without a doubt malware infections are the biggest threat from casual Internet surfing. I don't know of a single person (IT professionals included) who has never accidentally stumbled onto a malicious Web page and received a spyware infection as a result.
Antispyware and better security patches have reduced the impact of some types of malware, but other types of malware can pose a threat to security. For example, keystroke loggers are capable of stealing passwords, account numbers and other sensitive information. Even malware that is mostly regarded as a nuisance, such as the type that hijacks a user's home page or floods his screen with pop-ups, is still a problem for businesses because it reduces the user's productivity and ties up the technical support staff.
Another potential problem to casual Internet surfing is harassment related litigation. Over the years, I have heard many stories of employees walking past another employee's office and being offended by something they saw on the screen. The end result varies from situation to situation, but the outcome is never pleasant. Whether it results in bad press or fired employees, the company is the biggest loser.
Like me, you may be personally opposed to any form of censorship, but, as an administrator, it is your job to protect your company against IT-related threats. And that includes employee litigation related to offensive content.
Other consequences of casual Internet surfing are not nearly as traumatic, but still troublesome. They include things like excessive bandwidth consumption and lower employee productivity. There might also be issues involving increased support costs if employees are allowed to download and install applications from the Internet.
Controlling Internet surfing
Unfortunately, there isn't a magical Group Policy setting within the Windows operating system that allows you to instantly ban casual Web surfing. The closest thing that Microsoft gives us is Internet Explorer's Content Advisor. The basic idea behind the Content Advisor feature is that it allows you to set the level of language, nudity, sex and violence that users can view.
While this probably sounds like a perfect solution, you need to be aware of two issues. First, Content Advisor only addresses language, nudity, sex and violence. It does not make any provision for other types of offensive content. The other problem with the Content Advisor is that it works based on site ratings. When Web developers create a Web site, they pick their own ratings in each of these four categories. The developers of some potentially offensive Web sites will purposely assign their sites ratings that reflect inoffensive content as a way of circumventing the Content Advisor. More often, though, a Web site simply will not have a rating at all.
Content Advisor does address sites with no ratings though. It can be configured so that users are not permitted to visit sites that have no rating. Of course, if users have a legitimate business need to surf the Web, then a blanket denial of sites with no content ratings could pose a problem. You do, however, have the option of adding a list of approved Web sites or of allowing a supervisor to enter a password that allows a user to view otherwise restricted content.
Content Advisor can be configured either at the individual workstation level or through a Group Policy. To configure the Content Advisor on an individual PC, open Internet Explorer and select the Internet Options command from the Tools menu. Then, select the properties sheet's Content tab and click the Settings button found in the tab's Content Advisor section. This will reveal the various Content Advisor settings.
You can manipulate the same settings through a Group Policy. You can find the necessary settings in the Group Policy Editor at User Configuration | Windows Settings | Internet Explorer Maintenance | Security. The settings you need are found under the Security Zones and Content Ratings Group Policy Object. Keep in mind that this particular GPO works a little bit differently than most. Rather than being able to set the Content Advisor settings directly, you must import them from a computer that is already configured. The Group Policy Editor walks you through this process and makes the configuration simple, but it is still nice to know ahead of time that you will have to import settings from a computer that is already configured.
Content Advisor provides a good start to gaining control over casual Web surfing, but it does not offer a comprehensive solution to the problem. If casual Web surfing is a serious problem in your organization, you may have to invest in third-party software.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
This tip originally appeared on SearchWindowsSecurity.com.