ISA 2000: Block Barry's Access Except For One Site

Q: I need to block Internet access for Barry, except for one site.

A: As long as all users are required to authenticate when surfing, this is doable. You can specify exclusions using the Site and Content rules.


However, if any combination of (S&C and Protocol) rules is allowing anonymous access (anywhere), Barry may be able to get through; web browsers typically try to use anonymous connections before authenticating.


You Will Need:


A Destination Set ("Barry's White List"): contains only
www.thealloweddomain.dom (and any other domains you do want Barry to access).


Protocol Rule(s) allowing access to HTTP/S.


Site and Content Rules something like this:


Allow (Domain Users) Anywhere Anytime
Deny (Barry) (All Sites Except Selected Destination Set: Barry's White List)


or, if you've already got a "full privilege" user group segregated:


Allow (Internet Access Group) Anywhere Anytime
Allow (Barry) (Selected Destination Set: Barry's White List) Anytime