Howdy all. I'm an administrator for a private boarding school and would like to roll out Firefox via GPO (Server 2003) to school-owned PCs. I've successfully installed the MSI file in a dedicated GPO as well as the ADM files. Just waiting for the deployment to commence.
We have quite a few students whom use flash drives to run FF and not via the hard drive.
Would anyone recommend a solution I can deploy to allow only the FM version of FF to run and no other versions? Perhaps Software Restrictions?
Reason is that the workstations have to be configured to go through a proxy server (IE's already set up this way) and if the students run their own version, they can bypass the proxy (long story on why we're not transparent proxying in the first place).
Thx much, in advance!
Regards,
Z.
Question about "authorized" Firefox version...
My suggestion would be to block all outbound traffic except for your proxy server port. That way, when the students decide to choose direct connection to the internet from their flash drive version of firefox, it will time out. The only way their flash drive version of Firefox would work would be if they put in the proxy address.
-
anthonymel
- Posts:105
- Joined:Tue Jul 12, 2005 8:56 pm
Thx much for your replies, Zippy and Anthony. I greatly appreciate it.
Excellent suggestion about blocking outbound traffic. We're running three subnets (one for faculty/staff, another for student workstations and a third for future expansion). Fortunately, the proxy server is on the same subnet as the other servers (of course) and off of the student subnet so blocking outbound traffic on the student subnet and forcing them to go through the proxy shouldn't be a problem. A bit of additional background about the network:
Firewall is a Sonicwall Pro1260. This handles the subnetting as well as traffic (of course). Proxy server is Smoothwall's School Guardian. Unfortunately, the Sonicwall is already the default gateway for the network (it also handles gateway AV <running McAfee's eOrchestrator for workstation protection> and other tasks). Since we require only school-owned workstations to be filtered/proxied, faculty/staff that live on campus do not go through the proxy on their privately-owned systems (hence the reason for all the complexity).
I don't want to restrict the use of flash drives (don't want to turn into the "IT cop" as it doesn't do any good for anyone) but, at the same time, I need to follow corporate policy as well (I didn't write the policy although I should rewrite it!
).
I'll give the outbound blocking a try.
I appreciate it!
Regards,
Z.
Excellent suggestion about blocking outbound traffic. We're running three subnets (one for faculty/staff, another for student workstations and a third for future expansion). Fortunately, the proxy server is on the same subnet as the other servers (of course) and off of the student subnet so blocking outbound traffic on the student subnet and forcing them to go through the proxy shouldn't be a problem. A bit of additional background about the network:
Firewall is a Sonicwall Pro1260. This handles the subnetting as well as traffic (of course). Proxy server is Smoothwall's School Guardian. Unfortunately, the Sonicwall is already the default gateway for the network (it also handles gateway AV <running McAfee's eOrchestrator for workstation protection> and other tasks). Since we require only school-owned workstations to be filtered/proxied, faculty/staff that live on campus do not go through the proxy on their privately-owned systems (hence the reason for all the complexity).
I don't want to restrict the use of flash drives (don't want to turn into the "IT cop" as it doesn't do any good for anyone) but, at the same time, I need to follow corporate policy as well (I didn't write the policy although I should rewrite it!
).I'll give the outbound blocking a try.
I appreciate it!
Regards,
Z.
This topic is a bit old, but I just came across this site and thought I'd lend my .02. We have a number of students who tried carrying around PocketFirefox to circumvent our proxy server (because they just HAD to get to myspace at school). We did a couple of things. First, we hashed the PocketFirefox executable and set it as a disallowed software restriction policy in GPO. We still run IE (for the moment), so I can't tell you if PocketFirefox has the same hash signature as the regular or CE editions...you'll have to experiment. Second, we disallowed running programs from drives E-J (which is what a memory key would be assigned). That way, they can still read/write data files to their memory keys, but can't run programs.
Students would probably get saavy to the following eventually, but you could try renaming your instance of FirefoxCE to ffoxce.exe (or something like that) and then restrict running programs called firefox.exe.
Hope something here helps.
Wolfman
Students would probably get saavy to the following eventually, but you could try renaming your instance of FirefoxCE to ffoxce.exe (or something like that) and then restrict running programs called firefox.exe.
Hope something here helps.
Wolfman