Nobody has mentioned this, so maybe I should. It is not difficult to bypass the hosts file on *any* operting system whatsoever, by just writing your own resolver. This is easier than you think---the standard resolver library has all the machinery you need modulo creating the UDP socket. Bind has an even easier library... and an example of how to use it (aka dig). AFAIK winodws update et al are based on http, so a firewall that requiries one to use the provided HTTP proxy can block its requests (and lots of instant messgaing software). You could even use a transparent proxy so nobody notices anything until the proxy denies their request. You can do all the above with a solution like sonic wall (and presuambly their competitors' alternatives), linux+iptables, and presumably similar faciltiies on other platforms. I think the advice is to buy or build a seperate firewall, configure it to deny anything not desired, and you should be safe. Rerquiring the use of a local proxy or name servers just requires blocking outbound requests to the appropriate ports from all other hosts. I suspect bugtraq would *not* recommend any seperate firewall based on M$ windows, but would recommend using the provided firewalling feattures. -- Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems."
