In a previous column, I discussed ways to minimize exposure from e-mail-borne viruses and spurious browsing. Based on the feedback I received, I now believe that most CIOs doubt that the company derives benefits from any Internet activity that can’t be directly related to an employee’s job and, therefore, be managed or controlled.

In this column, I’ll discuss some of the observations and suggestions I’ve received for protecting the enterprise while maximizing employees’ usage of electronic mail to and from the Internet and Internet browsing.

Unclogging the e-mail pipes
The most common complaint I received regarding electronic mail through the Internet revolved around the ever-increasing practice of using e-mail accounts to drive advertising. As the advertising revenues for browser-based banner ads continue to plummet, many Internet advertising companies have moved on to a new model. The proliferation of full-time connectivity, especially for corporate users, has allowed advertisers to package their ads as HTML e-mail messages with click-through ads. And instead of being compensated for each ad served or e-mail sent, clients compensate the advertisers based on a performance model in which they only derive revenue from the number of actual click-throughs generated. In an attempt to generate more clicks, advertisers have dramatically increased the number of e-mail messages they send, creating a real bottleneck for companies getting junk-mailed to death.

Although it may seem extreme to most, some companies are so fed up with the volume of “junk traffic” that they have configured their e-mail servers to only accept mail messages from predefined domains. This is the ultimate spam blocker, because it only allows employees to use the e-mail system to communicate with companies that have an established business relationship with their employer. By not adding domains like Yahoo, AOL, and Hotmail to the “approved sender” list, spammers who abuse these services to pollute others’ inboxes cannot get past the SMTP server. Nor can the spammers just open up random SMTP servers and start sending unsolicited e-mails to users, because these e-mail domains would not be on the company’s approved sender list.

Although this approach seems draconian, it’s less so than the alternative: eliminating Internet e-mail entirely. Employees who do business with companies not on the approved sender list need only to send the domain name either to an automated alias or to the help desk to have the domain added to the list (subject to approval by the e-mail manager). Systems can easily accept Internet messages to general aliases (,, and then place these messages in group mail accounts from which employees can read and reply to the mail without concern for the incoming domain. These measures will quickly eliminate not only the spam that clogs most e-mail accounts but also many of the personal messages that force employees to take up company time. Allowing employees to access free Internet accounts or POP3 servers through the corporate firewall will still allow employees to access personal mail, but the use of approved sender lists will keep them from accepting and processing personal mail on the company’s mail system.

Eliminating the pop-up ad
The other great time and bandwidth waster is the pop-up or pop-behind ad. In an attempt to force users to notice their ads, Web sites spawn a secondary window with the ad they want you to see. This has become a huge industry.

Currently, Web sites generate around 24 billion ad impressions per week. What’s their defense? Internet content remains content as long as ads subsidize it. But most business-related sites derive revenue either from products they’ve sold, for which users seek support, or from services being purchased, for which the sites will generate revenue.

Companies should make every effort to eliminate these annoying pop-up and pop-under ads, as well as what I like to call “machine gun” ads—rapid fire, cascading ads in windows without close buttons or back buttons that sometimes even restrict mouse movement within the frame of the ad. (, the king of the pop-under ad, generated 28 million unique visitors to its site based on these pop-under ads in May 2001 alone.) And the problem can only grow worse, as many media analysts expect online advertising to double by 2005.

Companies can eliminate these ads using either client or server technology. Eliminating the ads using client technology can be done in one of two ways. The first is to turn off all Java applets, client scripting, Flash, and other client-side browser capabilities. Unfortunately, this may also cripple some of the sites that you want employees to use. A second, more palatable (and more expensive) way to solve the problem client-side is to install ad-blocking software. Two of the more common products are AdSubtract Pro and Norton Internet Security. You can use standard proxy servers to initiate server-side blocking of these ads. By only allowing access to specific domains, the ads can’t get through to your users unless you’ve added the domain generating the ad to your approved sites list. Allowing access to named domains limits Internet usage to sites deemed useful by departmental or companywide Web auditors and effectively eliminates “excess adage” from getting through.

I have to admit that I’ve always been an advocate of opening up the Internet pipe and then shutting out known offenders instead of taking the more conservative approach of closing down the pipe and opening it up to known partners. But many of the observations and experiences of TechRepublic members have made me at least consider the more conservative approach. Of course, in the long run, I believe this discussion will be moot.

Within the next decade, browsing will go the way of over-the-air broadcast television, replaced by intranet systems communicating with known partners using Web services, much like pay cable continues, albeit slowly, to eliminate advertiser-supported television.