yup. Sonicwall with thier CFS (content filter system). works like a dream.

Until somebody there goofs and flags the map image server for mapquest as porn (we are fighting that one now)

Luckilly they do have a user submission system to reclassify those goofs.

Install websense. Blocks the proxy sites AND Myspace as well as anything else you want.

Squid+SquidGuard

I had to do this for a school. Basically, set up Squid to act transparently. Set up an acl like:


acl myspace dstdomain .myspace.com
acl work_hours MTWHF 09:00-12:00
acl work_hours MTWHF 13:00-17:00
http_access allow myspace !work_hours
http_access deny myspace


That would allow access during lunch and before and after work.

If you want to block against proxies, use SquidGuard plus some blacklists. The ones at urlblacklist [urlblacklist.org] are good, as is the isakurldb [gplindustries.com] list (it's based on dmoz). Another one is the one from shalla.de [shalla.de]. All have social networking categories as well as proxy sites, though shalla's proxy and spyware lists tend to overblock.

I'd recommend merging urlblacklist's lists with isakurldb, and also shalla (but remove yimg.com from the redirector list manually) for both proxy and social networking. Then use SquidGuard to restrict the access.

So block the class C's. Things like Myspace Bypass are not your problem, the average user probably won't know about that. At a certain point, you'll find a user who will just run an SSH proxy, and is it really worth the hassle for locking out the more advanced users like that?

American Heritage Dictionary - Cite This Source
draconian (dr-k'n-n, dr-) Pronunciation Key
adj. Exceedingly harsh; very severe: a draconian legal code; draconian budget cuts.

Words evolve. Deal with it.

I had an employer ask me to do this for them as well. Since it was a Windows AD environment, I just set the internal DNS server to point myspace.com to 127.0.0.1 and set DHCP to hand out only the internal DNS server, which is what you want in an AD environment anyways. Obviously, it'd be fairly easy to circumvent (manually plug in an ISP's DNS server - problem solved), but it kind of ties into that "fence" idea mentioned in an earlier reply here, in that, for someone to figure out why Myspace wasn't working, they'd need to troubleshoot it, at which point they'd discover where Myspace was pointing and realize, "Hmm, someone probably intentionally did that."

I will point out that this was for a smallish company (25 people), not a school or anywhere else where the end-user can basically be assumed to be at least somewhat malicious. But, it does get the job done if you're in a hurry.

A friend of mine worked for the Gordon Flesch Company (~800 people) in Madison, WI. They had a filtering system in place, but it was pretty lax. They had a strict policy, but it had never been enforced. She was a WOW player, and would occasionally check the forums and game sites. Her work was top notch, her co-workers liked her, and her customers we always pleased with her performance.

One day she was called into her manager's office and fired due to her web usage. No warning, no verbal/written reprimand, just fired. Her last review said her performance was excellent, and there had never been a blemish on her record.

Now there's a company to avoid working for.

-AC

(It's not libel if it's true, but I'm not risking a lawsuit by putting my name on this!)

We use a similar sort of philosophy. If the employee goes to a site that the software thinks is dodgy, they will get a page warnming them that we believe it is dodgy, and why, but there is a option to continue onto the page, thereby acknowledging the warning, and choosing to view the content anyway, with such events logged and reviewed by the HR department on a monthly basis.

(Althogh most restricitions are lifted outside of normal working hours, and at lunchtime.)

Fire people that aren't doing their job.