+ 0 Votes heres a solution chris_atb 6 years ago mac address filtering, this will stop outsiders from stealing IP's unless they're smart enough to change there laptops mac addresses to ones of the client computers which i serverly doubt. and even if they did it would make it easier for you to find the culprits. another is use DHCP and bind IP's to MAC addresses so each machine will only get the IP address that the DHCP is authorized to give out to that machine + 0 Votes Information Security Policy... Wiseguytr 6 years ago This is of course the most correct solution. But the thing is you can not fire a CFO. InfoSec policies can be run pretty sharply when working in an corporate company, but in smaller companies, rules are obviously bent. Results are disasterous and IT guys get the blame for it. In the end as you have spelled it correctly, we're cleaning virus everyday, trying the catch the backdoorers via registered MAC list... Hopeless...My IPSEC Policy is still awaiting to be signed... + 0 Votes User account access control. 1bn0 6 years ago I believe our fortigate firewall controls net access. Access is based on your network user account login. You can not log on to the network unless the computer is a member of the domain, so you have to log on to the domain. Once you are logged on to the domain the firewall restricts access based on your user credentials. Example. Our lunch room computer automatically logs on to a limited user account for local intranet access. No internet acces to that user. I log on under my account on the same computer and I can access the internet because I have permission from the firewall / gateway. + 0 Votes Linux Squid with Domain Authentication nis_india 6 years ago I hope you need a solution to restrict the internet usage based on user then the solution would be. Linux Squid proxy with Domain Authentication will ensure that your users are logging to the domain as well as have a valid ip address & also allow you to restrict time based internet browsing. Through this you have a total control over the situation. You can also do many more in Squid. Thanks, Nishant + 0 Votes Are they local admins? AstroCreep 6 years ago If they can change their IP addresses/settings, that means they have local administrative rights on their systems - change them all to Power Users and this won't be an issue. Or if they are setup as Power Users right now, are they also members of the 'Network Configuration Operators' group? If so, remove them from that group. + 0 Votes IP fun rmathis 6 years ago Squid is a nice feature and so is ISA listed above. If your that strong about going and doing this Cisco is the way to go. And very few HP switch's can do it as well. Find a few older managable Cisco's and block down the ports to match the mac's along with DHCP tied to mac. It is still possible to spoof the mac but it makes for a much tighter and easier setup for the future. Also get them out of the Admin group there should be no way for them to change there local address. Prehibit the use of personal laptops as well make users sign an aggrement saying they wont bring one in. + 0 Votes Policy retro77 6 years ago Institute a policy that no home PCs can come into work. If you are that secure on your internet access, then you need to be that secure on your home PCs. The punishment has to be termination of employment or people wont listen. Plus home PCs comming in with who knows what virus/worms/malware on your "protected" network, a nightmare waiting to happen.