How to implement Internet whitelist?
March 21, 2011 3:21 PM Subscribe
What's the best way to implement an internet whitelist for a specific user account on Windows XP?
I want to implement a whitelist to restrict a six-year-old child to only visiting certain web sites. It is easy to implement a Microsoft-curated child-friendly whitelist on Windows 7, but I can't find a good way to do it on XP.
The whitelist could be manually curated by the child's parent or come from a provider. I am aware of OpenDNS and router-based solutions, but we really want very strict filtering on the child's account and to leave the other accounts on the computer unfiltered. Is this possible with Windows XP? Free would be better than paid.
(The child has just learned that he can search Bing for how-tos for some Club Penguin thing that he spends too much time on; this is turning up unsuitable content on Youtube and spammy sites advertising scantily-clad local hotties. His mother is aware that in the near future he will be able to defeat any technical barrier she implements and a computer-in-living-room solution will be necessary. At present, however, it is unavoidable that he will be using the computer unsupervised so we need this kind of technical solution.)
I want to implement a whitelist to restrict a six-year-old child to only visiting certain web sites. It is easy to implement a Microsoft-curated child-friendly whitelist on Windows 7, but I can't find a good way to do it on XP.
The whitelist could be manually curated by the child's parent or come from a provider. I am aware of OpenDNS and router-based solutions, but we really want very strict filtering on the child's account and to leave the other accounts on the computer unfiltered. Is this possible with Windows XP? Free would be better than paid.
(The child has just learned that he can search Bing for how-tos for some Club Penguin thing that he spends too much time on; this is turning up unsuitable content on Youtube and spammy sites advertising scantily-clad local hotties. His mother is aware that in the near future he will be able to defeat any technical barrier she implements and a computer-in-living-room solution will be necessary. At present, however, it is unavoidable that he will be using the computer unsupervised so we need this kind of technical solution.)
Instead of a locking down a user account, you can install a kid-friendly browser that allows for parental controls as well as allowing parents to specify sites. Some of them even show videos from youtube that are safe for viewing.
Some of the better ones are
KidZui.com, zoodles.com, kid-surf.com are well-known, but Kidzui seems to have too many ads from Mattel, Hasbro, Disney etc. Zoodles looks the most promising.
posted by theobserver at 3:49 PM on March 21, 2011
Some of the better ones are
KidZui.com, zoodles.com, kid-surf.com are well-known, but Kidzui seems to have too many ads from Mattel, Hasbro, Disney etc. Zoodles looks the most promising.
posted by theobserver at 3:49 PM on March 21, 2011
Oops, the last couple of sentences didn't come out right. Please ignore the second one.
posted by theobserver at 3:52 PM on March 21, 2011
posted by theobserver at 3:52 PM on March 21, 2011
it is unavoidable that he will be using the computer unsupervised
Is this a political truth, or a perceived technical one? Because it's technically a hell of a lot easier to lock a computer down altogether except at such times as it can be used supervised than it is to lock its web access down to a whitelist. And it's a hell of a lot easier to start imposing restrictions like this at six, while parents are still some kind of approximation to God, than it will be later on.
Locking the machine down altogether requires only that the BIOS is set not to boot from anything other than the HD and that its password is set to enforce this, along with judicious use of Windows user account passwords. This will hold until (a) little nowonmai develops some screwdriver expertise or (b) somebody is ill-advised enough to give little nowonmai's shiny new pocket device access to the house wifi.
posted by flabdablet at 5:42 PM on March 21, 2011
Is this a political truth, or a perceived technical one? Because it's technically a hell of a lot easier to lock a computer down altogether except at such times as it can be used supervised than it is to lock its web access down to a whitelist. And it's a hell of a lot easier to start imposing restrictions like this at six, while parents are still some kind of approximation to God, than it will be later on.
Locking the machine down altogether requires only that the BIOS is set not to boot from anything other than the HD and that its password is set to enforce this, along with judicious use of Windows user account passwords. This will hold until (a) little nowonmai develops some screwdriver expertise or (b) somebody is ill-advised enough to give little nowonmai's shiny new pocket device access to the house wifi.
posted by flabdablet at 5:42 PM on March 21, 2011
Response by poster: Is this a political truth, or a perceived technical one?
The parent (singular, and not me) is disabled, and suffers from episodes of extreme fatigue so it is an unfortunate fact that "go away and play with the computer for a bit" is at times a necessary measure.
The kind of BIOS lockdown you are talking about won't be necessary for a couple of years, by which time moving the computer into the living room will be the appropriate measure. By that point, I'm guessing somebody will have to buy them a new machine, anyway, and I expect the child's technical expertise will far outstrip his mother's well before he hits his teens. I'm currently looking for a shortsighted quick interim fix.
posted by nowonmai at 6:05 PM on March 21, 2011
The parent (singular, and not me) is disabled, and suffers from episodes of extreme fatigue so it is an unfortunate fact that "go away and play with the computer for a bit" is at times a necessary measure.
The kind of BIOS lockdown you are talking about won't be necessary for a couple of years, by which time moving the computer into the living room will be the appropriate measure. By that point, I'm guessing somebody will have to buy them a new machine, anyway, and I expect the child's technical expertise will far outstrip his mother's well before he hits his teens. I'm currently looking for a shortsighted quick interim fix.
posted by nowonmai at 6:05 PM on March 21, 2011
Best answer: OK then.
Assuming the little one is not yet savvy enough to work around things that aren't instantly clickable, and assuming a proper commercial parental filter costs more than you're willing to spend, you can do this in Firefox using Adblock Plus (which in any sane Firefox installation will already be there).
First, engage your security-by-obscurity thrusters by turning off Adblock Plus's "display in toolbar" and "display in status bar" preferences, so that the only way to get to the Adblock Plus preferences is via Tools->Add-ons. Next, create an element-hiding filter rule that blocks the HTML element, effectively turning every web site into a blank page:
##html
Your whitelist can then be implemented as a set of exception rules that turn element hiding off for selected sites:
@@||ask.metafilter.com$elemhide
@@||adblockplus.org/en/filters$elemhide
and so on. The Adblock Plus filter syntax is good enough to let you build quite a fine-grained whitelist.
posted by flabdablet at 9:03 PM on March 21, 2011
Assuming the little one is not yet savvy enough to work around things that aren't instantly clickable, and assuming a proper commercial parental filter costs more than you're willing to spend, you can do this in Firefox using Adblock Plus (which in any sane Firefox installation will already be there).
First, engage your security-by-obscurity thrusters by turning off Adblock Plus's "display in toolbar" and "display in status bar" preferences, so that the only way to get to the Adblock Plus preferences is via Tools->Add-ons. Next, create an element-hiding filter rule that blocks the HTML element, effectively turning every web site into a blank page:
##html
Your whitelist can then be implemented as a set of exception rules that turn element hiding off for selected sites:
@@||ask.metafilter.com$elemhide
@@||adblockplus.org/en/filters$elemhide
and so on. The Adblock Plus filter syntax is good enough to let you build quite a fine-grained whitelist.
posted by flabdablet at 9:03 PM on March 21, 2011
Response by poster: Thanks so much for all your help. It looks like restricting the account's access to a single browser, then using Content Adviser or a Firefox addon to filter will be the solution.
posted by nowonmai at 1:02 PM on March 24, 2011
posted by nowonmai at 1:02 PM on March 24, 2011
Restricting an account to a single browser is actually not as easy as it sounds.
First thing is that the account must be a limited account, not a computer administrator. This is not the default. Check it.
Next, you need to log on to a computer administrator account, and find the executable for each browser you want to disable. For Firefox, this is generally C:\Program Files\Mozilla Firefox\firefox.exe; for IE, C:\Program Files\Internet Explorer\iexplore.exe. Don't know about Chrome, but it shouldn't be too hard to locate.
Now you need to right-click on the executable, select Properties, and click the Security tab. This is where the difficulty starts, because you might not see a Security tab.
If there's no Security tab and you're using Windows XP Professional, then open My Computer, select Tools->Folder Options->View, and turn off Simple File Sharing.
If there's no Security tab and you're using XP Home, install and run Reinhard Tchorz's FileSecPatch utility.
Having got to the Security tab: click Add, then enter the name of the user account you want to lock out, then click OK. You'll see a new permission for that account with "Read and Execute" and "Read" boxes ticked in the Allow column. Click on the "Read and Execute" box in the Deny column, and you will see both the check marks move over. Click OK.
You should now find that the user account you named is unable to run the browser whose security settings you just modified.
posted by flabdablet at 4:00 PM on March 24, 2011
First thing is that the account must be a limited account, not a computer administrator. This is not the default. Check it.
Next, you need to log on to a computer administrator account, and find the executable for each browser you want to disable. For Firefox, this is generally C:\Program Files\Mozilla Firefox\firefox.exe; for IE, C:\Program Files\Internet Explorer\iexplore.exe. Don't know about Chrome, but it shouldn't be too hard to locate.
Now you need to right-click on the executable, select Properties, and click the Security tab. This is where the difficulty starts, because you might not see a Security tab.
If there's no Security tab and you're using Windows XP Professional, then open My Computer, select Tools->Folder Options->View, and turn off Simple File Sharing.
If there's no Security tab and you're using XP Home, install and run Reinhard Tchorz's FileSecPatch utility.
Having got to the Security tab: click Add, then enter the name of the user account you want to lock out, then click OK. You'll see a new permission for that account with "Read and Execute" and "Read" boxes ticked in the Allow column. Click on the "Read and Execute" box in the Deny column, and you will see both the check marks move over. Click OK.
You should now find that the user account you named is unable to run the browser whose security settings you just modified.
posted by flabdablet at 4:00 PM on March 24, 2011
This thread is closed to new comments.
That would prevent you from using IE in your account (Content Advisor settings are global), but that may not be a problem for you.
I haven't tested this, apologies if I have missed some obvious flaw.
posted by Busy Old Fool at 3:48 PM on March 21, 2011