[hudson1]

I searched around the forums but couldn't find an answer that addressed my circumstance. Here it is....

I'm looking for a way to disable internet access for one of the two user accounts on my home machine running 10.3.9. We have DSL with a router in between the modem and Mac. All are hooked up by ethernet downstream of the DSL modem.

To be more specific, I guess what I'd ideally like to do is disable web browsing and leave Mail access unaffected but that's simply a "want" and not the primary "need".

Any thoughts? Thanks.

[jabackes]

delete safari?

that seems to be the easiest...,

or make that account managed and dont let them have access to safari, something like that... move safari to your accounts's homefolder and make an applications folder in home... etc... i think that should help out

[Chuckit]

That wouldn't work for only one user. But you could disallow Safari for that user. I think Little Snitch would be the most direct way to disallow Internet access, though. You might try it out.

[jabackes]

Originally Posted by Chuckit

But you could disallow Safari for that user. I think Little Snitch would be the most direct way to disallow Internet access, though. You might try it out.

already said that, little snitch could work, you could disable port 80, but i think managed account where safari is off limits would be the best....

[hudson1]

I've never tried Little Snitch. I gather from this thread that you can set up Little Snitch rules that are specific to one user. Is that right?

[Person Man]

Originally Posted by hudson1

I've never tried Little Snitch. I gather from this thread that you can set up Little Snitch rules that are specific to one user. Is that right?

Yes, but that's not the best approach to use (and it's easily circumvented by that user, because to apply only to that user, the pref pane needs to be in his personal account's Library folder, which gives that user full access). What exactly is the situation you are trying to accomplish here?

If you want the person to have access to e-mail, but not web browsing, then set up their account as a managed user and prohibit access to Safari.

[Mac Write]

Or use Tiger's Parental controls to limit Internet access.

[ManOfSteal]

Install Windows XP. Do not load any virus software or security patches. Wait 25 minutes. Try using the Internet. Case closed.

[GSixZero]

double post.

[GSixZero]

Change the ownership of safari to the user who needs internet access, then make the permissions 700 on the file.

[pete]

macminder?

[TETENAL]

Originally Posted by hudson1

To be more specific, I guess what I'd ideally like to do is disable web browsing and leave Mail access unaffected but that's simply a "want" and not the primary "need".

I would also suggest Tiger's parental control.

[Person Man]

Originally Posted by TETENAL

I would also suggest Tiger's parental control.

Assuming he's running Tiger.

[Person Man]

Originally Posted by GSixZero

Change the ownership of safari to the user who needs internet access, then make the permissions 700 on the file.

That would not apply to only one user. That limits internet access to just one person. Not to mention that the permissions would be reset during a repair permissions command, and that there are plenty of other methods available to restrict access without changing permissions.

[chris v]

The good news is that with 10.4, you can configure "supporting apps" to not function, so that if you've disabled Safari, a user can't get it to launch through Watson or Sherlock, or the Services menu, like in 10.3.

The parental controls actually seem pretty good this time around.

[Sarc]

but you could always ftp and download another browser ?

[Fusion]

Originally Posted by ManOfSteal

Install Windows XP. Do not load any virus software or security patches. Wait 25 minutes. Try using the Internet. Case closed.

I got a good laugh out of that! Thanks!

[hudson1]

Thanks for the replies. The reason I want to do this is that our daughter seems to allow web surfing to get in the way of doing homework. I'm not planning to ugrade our computer to Tiger as I will probably buy a new Mac this summer anyway. So the enhanced parental controls in 10.4 won't help. I'm sure I can mess around with the permissions on Safari, Camino, Firefox, IE to achieve this. I'll probably also download the demo of Mac Minder. Thanks especially for that tip as the info on it looks very good and the price was pretty reasonable at $30.

[ajbaker]

This is not an easily solved problem. All of the responses so far are good suggestion, however if your daughter is in any way technical, she will soon realise she could install a new web browser. Anything you do will be irrelevant when that happens!

I'm not aware of any software for 10.3.9 that will help you out here.

If this was something I wanted to do, I would you down the following router. Which, I agree, is complete overkill for your situation.

Squid is a open source UNIX daemon (Server) known as a web proxy. All network traffic goes through this software (it can be installed on your machine) before reaching the internet. Best of all this software enables you to setup Access Control Lists, including username and password. In addition I think you could probably set time based settings, so for example your daughter could use the internet for a set period of time during the day.

Squid

Installation and setup would be a nightmare, and as I said, this is complete overkill. Food for thought.

[Big Mac]

If the only access granted to the Internet is Mail.app, then there's no way she's going to install a browser unless she either a) has someone mail her an attached browser installer or she b) circumvents software security (assuming the absence of OF Password) or hardware security.

[ajbaker]

Good point. I assumed however that she would be allowed some internet access at some point in her life. And its safe to assume that is not all supervised.

[DarwinX]

Originally Posted by ajbaker

Good point. I assumed however that she would be allowed some internet access at some point in her life. And its safe to assume that is not all supervised.

MacAddict just did a big write up about this issue in last months issue I believe? Current or last month. Check it out, it may contain the answers you seek.

[Sarc]

Create an unprivileged user account (ie. not admin).
IIRC, Panther allowed you to specify what apps. an unprivileged user could run. Use that.
Then, move all your browsers into a folder that requires admin privs. to browse. And just for the fun of it do the same with the browsers' permissions.
Also, IIRC (again), Panther could disallow a user to munt CD's or DVD's. Use that too.

And don't allow to run the Terminal or any other app. that could be used to download a new browser.

Anyway, she could always ask a friend to send on via IM.

[Gee4orce]

Or, you could just chill out and let your daughter access the internet.........

Ok, I'm assuming the reason for this is to prevent access to porn and grooming by nasty people, but there are ways and means for restricting access without withholding it entirely. Denying someone access to the internet is tantamount to not letting them read books or watch tv these days.

If you are a .Mac member there is some free software that works pretty well - download it from the .Mac site. Otherwise, upgrade to Tiger and investigate the parental controls section of the Accounts preference.

[edit] Also, have a look at the configuration of your router. I know some Netgear routers at least can be configured to deny access at certain time periods. Could be another way of restricting access so that she gets her work done, and yet still allow her access to the internet when she's finished it ?

[intake]

[edit]nevermind, my exact thoughts were already echoed above.

[Goldfinger]

Originally Posted by Gee4orce

Or, you could just chill out and let your daughter access the internet.........

[Gavin]

A quick way to do what you want is to add a rule to the firewall the blocks outbound traffic on port 80. Add it when you need it and remove it when you don't.
paste these into the terminal. 1 to stop web browsing, the second to allow it again.
sudo means run it as the super user and it will ask for your administrator's password. if you are the main user then it's simply the password you log in with. ipfw is the firewall software.

add rule to block web access:
sudo /sbin/ipfw -q add 02045 deny tcp from any to any 80 out

remove rule:
sudo /sbin/ipfw -q delete 02045


To make it easier you can save this as an applescript. paste following script into script editor and save it as a application, run only. call it 'Block The Web' or something. Just double click it when it's her time to use the machine for homework or before you log out. Make another script with the other command to turn it off when she's done. Give the script permissions so that only you can run it. There may be a more secure way to do this, like have the applescript ask for your password instead of hard coding it. or even using the keychain somehow.

You'll still have to remember to run it by hand. Anyone know if there is a way to trigger a script on user switching? Also, rebooting the computer will reset it, but she may not figure that out. You can add the block rule to the startup script so the computer will start up with web browsing turned off.

applescript:

set thePassword to "your-password-here"

do shell script "sudo /sbin/ipfw -q add 02045 deny tcp from any to any 80 out" password thePassword with administrator privileges

[fulmer]

log on to her non-admin account.
Uncheck all network port configurations.
Click the lock to ensure she won't be able to change them.

She should now be without any network access.

[Sarc]

Originally Posted by fulmer

log on to her non-admin account.
Uncheck all network port configurations.
Click the lock to ensure she won't be able to change them.

She should now be without any network access.

wouldn't that kill iNt access to all users ?
anyway it can be checked and unchecked when needed, I like this solution.
Of course, ti could be overriden with the terminal.

[jay3ld]

i would go the way of blocking access to safari and that. also do sherlock, Watson. this will help allot.

another way to do it is i walk over to the modem. take it out and walk away. problem solved.
^WORKS!!!^