Controlling Internet access by operators


Thread Starter

Diana Bouchard

I have been working on an operator decision support system that includes a number of HTML screens for presenting conclusions and recommendations. The effective use of this system in the mill has been limited because the
operators have reportedly been using the browser to 'surf the net' and view X-rated web sites (especially on third shift, I suspect), so management keeps insisting on removing the browser.

I would think that removing the physical connection between the control room and the outside Internet would be the most direct solution, but they seem to be reluctant to do that. I know there exist watchdog programs which
block access to sites with certain characteristics or else a list of sites, but they don't work perfectly and a computer-savvy operator can probably get around them. Any suggestions out there?

Diana Bouchard

Diana C. Bouchard
Paprican, Process Control Group
570 St Johns Boulevard
Pointe Claire Quebec H9R 3J9 Canada

Johan Bengtsson

Do they need access to any site outside your intranet? probably not since the browser could be removed.

Would not disabling all IP going elsewhere be a nice soulution, like removing "default gateway", remove DNS servers or something even more direct (like blocking it in the gateway). A firewall
can block traffic on both directions....

I don't know all the possibilities here but it may give you a direction.

/Johan Bengtsson

P&L, the Academy of Automation
Box 252, S-281 23 H{ssleholm SWEDEN
Tel: +46 451 49 460, Fax: +46 451 89 833
E-mail: [email protected]

We've found that firing the first person caught visiting porno sites moderates the desire for the rest of the employees to engage in this activity. Very low-tech, but effective.

Willy Smith
Numatico SA
Costa Rica

Steve Monnet

Hello Diana,

I have implemented an Internet connection in an Oil Industry in Switzerland. In order to avoid the problem you describe, we have implemented a log system which trace every access to external site and log it with the name of the user. The system is also able to block the connection to X-site (but you must maintain the list manually which is impossible !). We have obliged the operator to sign a "security and ethics policies" and we check monthly the list of sites visited by them.

I think this is a good solution because we authorize the surf and keep it "under control".

We use a firewall from Bull ( and the proxy sserver of netscape ( we have also add an antivirus system.

I hope this can help you and keep the door open for the operators


Have you asked your IT department?

The best way to do this is to route all internet traffic through a proxyserver/firewall and limit

a) access to certain sites from the company network; and

b) the personnel and/or the workstations that have access to the internet.

There have been a number of comments on this list, recently about the advisability of connecting control and commercial networks. It might be a good idea to review some of them.

Michael Griffin

How is the internet being accessed? If through a connection managed by the network servers, then your network should be able to be configured to
prevent outside internet access for particular computers (accounts actually) while still allowing access to any sites inside the company. This is common practice for many companies so your network managers should know how to do this. This should be the simplest and most reliable method.

Michael Griffin
London, Ont. Canada
[email protected]
Typically to access the outside internet you go through a proxy. You should be able to configure the proxy to not allow those machine to access the
internet. Alternatively, use a monitoring program to monitor what the employees are looking at and fire them if they are violating the corporate internet policy.

Manny Hellstern


Any computer can be set up to act as a web server onto which you can load your HTML files. The operator machines can be set up so that that is the only server they see. The only network web server the operators have rights to will be the one with your HTML files on it.

If you are running a Microsoft operating system, you can set your own computer to be a web server by going into Control Panel, Network, Services
and adding (depending on NT, 95, 98) a web server service i.e. Personal Web Server or IIS. This service can work for a small number of users but you might want get the full blown version if you find performance problems.

Anyway, it is a cheap way to test it out. Good luck.

Manny Hellstern
Mustang Engineering
Houston Tx

Ranjan Acharya

Put them on an intranet! The security concerns alone of having operator stations of any sort on the Internet scares me to death. There is no better security than a broken link.


Ranjan Acharya
Team Leader - Systems Group
Grantek Control Systems