> In other words, you don't need to differentiate access > per site/computer/user. That's correct. > Do these connections involve static IPs? src based > ACLs would work nicely in that case. If they had static IPs, I would have figured this out before I posted to the list. ;-) > The approach you have outlined should work just fine. OK, that's what I needed to know. I believe I now understand why interception *shouldn't* be done, but sometimes one must sacrifice a little to get the job done. Truthfully, the biggest problem with our current setup is that you can't _truly_ lock user prefs in Firefox on OSX. We did some research on locking them and did have success, but the OSX binary for Firefox is a fully self-contained package. This means that even if we did lock some settings, such as proxy settings, a user could simply download a new Firefox image and run it from their desktop, thus bypassing all previous locks. That's how we were led to the intercepting proxy idea > Given there isn't going to be much (if any) difference > between workstations it shouldn't be difficult to care for. > Another approach would be static IPs and src based > ACLs (as mentioned above). We toyed around with some other ideas involving DNS or some type of automatic registration by each host, but that got ugly, quick. Problem w/ the IP approach is that some of the ISPs don't provide static IPs unless you pay an extra $30/month. When you're a young company, every dime counts. Thanks for your help.
