SBS Premium - ISA - Creating a Work Hours Internet Site Restriction Policy

Almost all of our clients have an Acceptable Use Policy (AUP). The AUP outlines what one can and cannot do with company equipment and Internet access while in the office or out.

One of the requests we get is to place a restriction on which Internet sites that users would commonly visit during working hours or at all.

In ISA 2004, we would do the following:

1. Open the ISA Management Console
2. Right click on Firewall Policy -->New --> Access Rule
3. We call them Workhours Deny
4. Rule Action: Deny
5. Selected Protocols: HTTP, HTTPS, MSN Messenger
6. Access Rule Sources: Internal & Local Host
7. Access Rule Destination: Add
1. New: URL Set
2. Name: Workhours Deny
3. Add: http://*.rad.msn.com/*
4. Some sites at the bottom of this post.
5. OK
6. Click on + beside URL Sets and double click on "Workhours Deny"
7. Close
8. Next
9. All Users -->Next
10. Finish
11. In the ISA Console, double click on the Rule before clicking Apply in there
12. Click the Action Tab: Tick "Redirect HTTP requests to this Web page:"
• We create an AUP page for Companyweb: http://companyweb/General%20Documents/AcceptableUsePolicy.aspx?PageView=Shared
13. Click the Schedule Tab
14. New button
15. Name ClientName Workhours and set the active times.
• We set 0800 to 1800 for the times as a rule for all 7 days.
16. Click OK
17. Click Apply and OK in the Workhours Deny Properties window
18. Click Apply and OK in the ISA Console.

Once the above is done you will end up with a policy that looks something like this in the ISA console:

During the working hours specified, if the user tries to connect to the Web sites that are listed in the Deny List, they will be greeted with the following:


Here is a partial list of sites that we tend to restrict out of the box as part of the SBS Premium setup:

• http://*.ebuddy.com/*
• http://*.get.live.com/*
• http://*.login.live.com/*
• http://*.shared.live.com/*
• http://*.webmail.usersisp.com/*
• http://*.gmail.com/*
• http://*.hotmail.com/*
• http://*.login.yahoo.com/*

Any site that would essentially waste a user's time or open the network to possible compromise would normally make the list.

In almost all cases, most people figure it out and there is not a problem. Once in a while a little more is needed, so with the Client Contact's approval, a simple email with a screen shot of an ISA report showing the user name and sites being visited is sent to the problematic user. This usually kills the behaviour immediately.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.