windows xp logoff script and internet explorer

davetherave2

davetherave2

davetherave2

Soldato
Joined
27 Mar 2003
Posts
2,710
I thought this would be the best palce to ask this sort of question rather than the networking forum.

My situation at the moment:

my company currently is reviewing its security policy and we have a combination of a finjan and watchguard firebox system in place for all our security and web filtering needs.

Now up until recently it seems that who ever installed the finjan did not make the changes to the group policy to force everyone through the finjan proxy so users could go to unathorised sites such as facebook, email etc.

So I have added to our log in script to set the user to go through whichever finjan proxy is on their site, then disabled the option to be able to change this via group policy.

so since implementing these changes it has had a side effect that our laptop users can no longer connect their work pc's to alternative internet sources ie home, out of office etc.

So to combat this I have added a log off script so that the changes made at logon will be undone so in theory when they are not conencted to our domain they should be able to connect it to anywhere without any issues. This sadly is not happening.

So I am starting to run out of ideas and was wondering what other people did in this situation.

thanks in advance for your help.
 
Well a simple logon script can be designed to change the proxy settings on logoff.

If I remember correctly its just a simple reg file that you can run silantly.

Download regmon and use that to take a before and after snapshot. That way you will know what registry key needs changing and adding to the log off script.

Good luck.
 
Maybe I have not explained myself correctly.


Currently using a logon script to do the following:

set proxy server on
set proxy address

using group policy to do the following:

disable lan settings control from user


logoff script is doing the following:

set proxy server off


but as I said is there a way I can check to see if the machine is off the domain and ensure this setting is turned off.
 
davetherave2 said:
Maybe I have not explained myself correctly.


Currently using a logon script to do the following:

set proxy server on
set proxy address

using group policy to do the following:

disable lan settings control from user


logoff script is doing the following:

set proxy server off


but as I said is there a way I can check to see if the machine is off the domain and ensure this setting is turned off.
Click to expand...

Before the users take them home get them to bring it into the office? check it manually.

OR create a batch file on the system and tell the user to run it IF the user is using it for their own home internet. Or do you have dumb users?
 
currently the log off script is just a simple batch file that re-enables the key for the proxy, the problem is that it is open to abuse. If the laptop users have this file on their machines then they could potentially give the file to other users.

We still want this key enabled when they are in the office so that they don't abuse the internet.

Unfortunately not all users are on our site.
 
davetherave2 said:
currently the log off script is just a simple batch file that re-enables the key for the proxy, the problem is that it is open to abuse. If the laptop users have this file on their machines then they could potentially give the file to other users.

We still want this key enabled when they are in the office so that they don't abuse the internet.

Unfortunately not all users are on our site.
Click to expand...

Tell them that they can't plug the laptops into the network then, make it a policy. TBH I bet theres more security threats on the network like that.

Maybe best way is manually doing it by telling them to bring the laptops into the office for check.
 
If I have read this correctly, surely all you would do is create a program, so that when the user logs-in (program starts) it checks if its on your domain, if it is - it changes the proxy settings (taking a snapshot of what the settings were before), and then sets them back to what they were in the snapshot on logout.

Maybe have some sort of locking mechanism aswell so they can't give the file to another user. So when the program is first run it takes all the computer settings so it only works for that computer - actually if you are doing what i said above - you wouldn't really need the locking. You could run it as a service - aslong as they are not allowed to kill services.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom