Block Facebook for selected users

As someone who used to be responsible for the proxies, firewalls, and web filters I very much agree with @DanBig's comment and urge you to politely tell management "I don't care" and let them deal with it. Babysitting is a management / HR issue and should not be left to working level IT. If you have resource contention to the point where someone's Facebook activities are causing performance issues on your network and you don't already have filtering software in place, block their switch port or something and get management involved. Then work with management / HR on an acceptable use policy, which could also include a proxy / web filter to help enforce said policy. IT can help to define the policy, but HR should be the owner of the policy.

You do NOT want to get in the middle of legal battles or other conflicts with disgruntled [former] employees if / when they start coming down the pipe. It's not a long decline from exuberant Facebook usage to other questionable uses of the Internet.

If what you're doing right now is working but the issue that it's taking too much of your time, then scheduled tasks are you friend :)

Pop the two versions of the hosts file on the network somewhere (With FB enabled/disabled), and then set up a scheduled task, pushed out by GPO.

At lunch time (say, 11:30) it copies the "FB Enabled" hosts file, and then after lunch (say, 13:30) it copies the "FB Disabled" hosts file.

Price: $free
Difficult: Easy
Effectiveness: Good
Management Overhead: Medium

_{For the record, squillman's answer is the one I would prefer as a sysadmin, but we all know that's not the way it works in real life}

Another alternative would be to block Facebook et al from people's work machines from 9-5 but set up an "Internet Cafe" in a communal area where they can have access to the internet for personal browsing at lunchtime.

These machines could be locked for most of the day but only open from 11 am till 2 pm (for example).

As these machines are effectively "public" people would then have to learn to log off when they've finished.

This would also help clearly delineate private and work usage of the internet.

Wow, that is definitely the hard way.

There are a multitude of web filtering solutions out there that will do what you need. Squidguard is probably the popular/simple choice, but there is no shortage of free/cheap options (as well as ridiculously expensive ones); Untangle, DansGuardian, the free versions of some of the unified threat management appliances out there like Astaro would do the trick..

While I agree with the most here that this is a management issue and in an ideal world it would end with a new policy; however, in the world in which we live in, an enforcement arm is required in addition to policy.

Others have mentioned several packages you could purchase; I think what you've done is fine -- what you need is a way to automate it. I think a simple powershell and a pair of scheduled tasks would work just fine.

We had 3 machines with open internet access in a public area with blocked access to questionable sites through OpenDNS and sectioned off from the rest of the network. The rest of the production floor did not have internet access. Served a site with 50+ users rather well, but our business is not very web-access heavy.

The easiest(*) is to install Ubuntu on PC with 2 network cards, configure iptables + Squid + Dansguardian and block users by IPs. Proxy will be transparent, no need to configure users' browsers. In Dansguardian you will be able to create user groups and assign different sets of rules to each of them. Dansguardian supports scheduling.

Besides blocking, I would recommend to implement reporting. Reports are very important: people are much more responsible when they know that they are accountable. We used SARG which published daily reports on local website so everyone, including management, can see statistics.

I prefer agreements rather than policies and reports to the management. So, we agreed that social networking will be available during lunch time and after working hours and that is enough for 98% of staff.

* Easiest because:

• all required resources are old PC and $15 for network card - no need to ask for a budget;
• all the packages mentioned are available from Ubuntu repository, no need to recompile anything: customization is minor with many manuals and articles available;
• solution is centralized;
• rules will work for ALL the computers on the network even if PC does not belong to your AD;
• this interim is good enough to become permanent solution so no effort will be wasted...

We have a similar situation at my workplace. We solved it by putting the problem users all on the same subdomain and blocking that subdomain's access to Facebook, etc. through the firewall. If your firewall doesn't accept hostnames there will be some maintenance associated with changing DNS records but this seems like an acceptable solution compared to your current solution.

You could also enable time-based restrictions depending on your firewall software.

I'm in general agreement with what alexm wrote but would tackle it slightly differently. Rather than build a system from scratch I suggest using one of the very easy to use firewall distros. I personally favour Smoothwall but there a number of others to choose from. In addition to allowing you much more flexibility for filtering than you currently have you will also gain the benefits of having a decent gateway firewall.

Most firewall distros have very good comunity support, so it's quite possible someone has already created an add-on to suit you. Otherwise, while the settings you are after may not be available in the normal management console they're easily implemented via squid and cron. With very little scripting you can have as much granularity and control as you desire.

Take a look at FortiGate firewalls. They have application level blocking.