Block websites for standard user but allow for admin account

Question

This is for a home PC (not on any domain). My kid is a monster when it comes to clicking where he is messing around settings (varying from either installing addons in browser or change windows settings or even install apps from the Windows store) and/or visiting websites that he shouldn't. To overcome that I've created a standard account (windows login) for him and kept just the Google Chrome icon on his Dekstop.

This allows him to open the browser but I would like to limit to opening only youtubekids.com website when logged into the standard account. But this restriction should not apply when logged in as an admin.

Is it possible to do this?

PS: I've read about hosts file and proxy settings via IE but I'm hesitant as I feel it will affect for all users (irrespective of type of account)

Answer 1

Here's a solution using the Windows Task Scheduler and Windows Firewall:

https://serverfault.com/a/637000/419032

The basic idea is to setup outbound firewall rules limiting access only to specific websites, then set up a task which enables the firewall every time a user logs on and another task to disable the firewall when a specific user logs on.

Of course you're only relying on your router firewall at this point to protect you when the Windows Firewall is off. Depending on the size of your network, this may be acceptable.

Answer 2

Still there is a way to do it using HOSTS file:

• First block the websites you don't want to allow access using hosts file using Administrator account. (Add an entry of youtubekids.com in your hosts file with its IP address and then set the DNS server to a non existent one)

• Then save this code as a batch file and execute it in Administrator account: (Replace connection name with network ssid or name and change DNS server in netsh line if you like)

@echo off
openfiles >nul 2>&1 
if %errorlevel% equ 0 (
  type "C:\Windows\System32\drivers\etc\hosts" >C:\tempfile123.txt
  type nul >"C:\Windows\System32\drivers\etc\hosts"
  netsh interface ipv4 set dns name="Connection name"  static 8.8.8.8
)
if %errorlevel% equ 1 (
  if exist C:\tempfile123.txt (
    type C:\tempfile123.txt >>"C:\Windows\System32\drivers\etc\hosts"
  )
  Netsh interface ipv4 set DNS name="Connection name" static 3.4.5.6
)

• After saving this as a batch file and executing it, put it in the Startup folder (C:\Users<user name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup) of your kid's and the Administrator account.

• Reboot and enjoy!

How it works?

The batch file does the magic. It checks for elevated priviliges of the logged on user. If the user is administrator, it saves the content of HOSTS file into another file and clears the HOSTS file and sets a correct DNS server. If the user is not admin, then it places the content of temp hosts to the real HOSTS file and sets an invalid DNS server. And you are placing this bat file in startup so it happens when user logs in.

Note: Make sure If your kid does not know anything about hosts file and startup folder. If your kid knows, then I recommend using the Comodo utility to stop him from accessing certain websites.