Advice needed please

Hi Everybody

Okay here is the scenario...

Recently I busted one of our employees for surfing inappropriate material at work. I know he has a partner in 'crime', but I suspect that this person is using some sort of eraser program because his internet cache, cookies and index file are completely clean; I may be wrong about this hopefully someone will correct me, but I thought that the index.dat file within 'Temporary Internet Files' was almost like a permanent record of a persons surfing habit.

In light of the above, the question that came to me is, is it possible to define NTFS permissions on the 'Local Settings' folder in such a way as to disallow the user from deleting files from it in the same way that you can with 'normal' user files/folders. I know that there are utilities out there that could possibly help with what I need, but in order to purchase stuff I have to go through an ordering process (I work for a charity).

I hope this is not a stupid question.

Thanks in advance.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

RussS

The index.dat can be deleted too.

kevozz

You can erase the index.dat very easily if your on a different profile than the one being erased.

seuss_ssues

Surely you have some type of logging enabled where you acheive "point of presence" to the internet.

Just filter the logs based on web traffic and his IP address.

Gogousa

Are you working under a domain, If you are, you can block everything with a group policy.

Megadeth4168

We use software on our Proxy server to record where everyone goes on the internet.... This can be done 2 ways... By IP Address (All static here) or by Active Directory login.

We had considered using a RADIUS for some of the same things.

Things are much easier if you are working in a domain enviroment... If not then you may have to go to every machine and set permissions.

Judd

grey fox wrote:

Recently I busted one of our employees for surfing inappropriate material at work.

Here's a thought, if you don't have an acceptable use policy, or the acceptable use policy doesn't explicitly say what "inappropriate material" is, all the evidence you get from this persons computer won't matter because the user can claim ignorance of the policy.

If you do have this in the policy, it should define what action will be taken against the user if found viewing inappropriate material. If you don't have it stated in the policy that you can monitor users activity then you don't have much to go on, and again finding evidence won't really matter.

P.S. Look in the DNS cache, I've used this one many times and regular users rarely purge this.

ipconfig /displaydns

grey fox

Hi Everyone

Thanks for the replies and suggestions.

To be honest, now that I have been able to think things over, I think trying to go after this person would be a waste of effort, so I have decided to let sleeping dogs lie. I think I was losing sight of the bigger picture because this person looked me straight in the eye and lied to me, and I let it get to me. Besides which I have been told that this person is scared of me and has been giving me a wide berth all week

On a positive note, I have been given a budget to implement content filtering. At the moment I am trying out a 1 month free trial through the manufacturers of my firewall, and it seems to be quite effective. It allows you to black list criteria and any sites that fall under these criteria are blocked and logged for inspection. We will see how this performs and take it from there.

If anybody is interested this is the link for the people who actually provide the service http://www.bluecoat.com/

Thanks once again for all your replies.