Proxy Problems

Proxy Problems

Summary: When computerized means of enforcing usage policies fail, it comes down to teachers to enforce them during class.


So I thought I had successfully blocked MySpace through firewall policies at our school. I'd blocked by keyword (myspace) and by URL ( and The school administrators were happy, the parents were happy, and the teachers were happy. In fact, the teachers were happiest of all since the kids were no longer spending any available computer time MySpace-ing.

Then one day I noticed that about half of my class was logged into MySpace instead of building the real web sites I had assigned.  How could it be, you ask?  Well, most of you have probably discovered the big bad world of proxy servers already.  Our students certainly have, and in fact, are now able to surf the net unfettered by silly content filters if they can get to these sites.  The idea is fairly simple: surf the web via another site/computer not known to our content filters.  The most savvy of students have even figured out how to set up their own home computer as a proxy server so that they can log into their computers from school and surf at will.

The real problem here is that, unless we can find out every proxy server the students are using (which we can't), and specifically block each of them (not gonna happen), then we can't prevent them from using the proxy servers and bypassing the policy filters we have worked so hard to put in place.  These are the same filters that the Childhood Internet Protection Act dictates we effectively maintain if we want to see federal funding (see the post, "Safety First").

There are a few things we can do to disable as many of these proxies from behind our firewalls as possible. By blocking the keyword "proxy" on our firewalls (or our own proxy servers, depending on our architecture), we can prevent students from searching for new proxy sites, as well as any sites that contain the word proxy.  Again, depending upon architecture and available software, we can also disallow all "unknown" sites; this will take care of the kids' homegrown proxies. Our content filter vendor, unfortunately, maintains a database of objectionable sites, rather than good and known sites, so this may not be an option.  Finally, many of the students in our school subscribe to email lists that regularly publish new large proxy sites.  I have subscribed to a number of these and immediately block the latest and greatest sites that the kids are trying to use.

However, the ultimate responsiblity for ensuring that students are not exposed to objectionable content lies with teachers and administrators.  It lies with administrators who must write comprehensive, clear computer use policies that outline appropriate and acceptable uses of computer and network resources.  These policies must also clearly outline consequences for violation of the policies and should probably address proxies specifically. 

Perhaps more importantly, though, the responsibility must lie with the teachers who bring their students to computer labs for research and classwork; it lies with the teachers who teach computer classes. Nobody knows better than I how difficult it is to monitor every student who uses a computer. However, educational IT staff and teachers must work as partners to comply with federal regulations and keep kids safe on the Internet. For six hours a day, we are responsible for what they see and do; teaching faculty need to keep in mind that even the best educational IT folks can't keep up with the rapid proliferation of proxies, social networking, and all-around bad stuff on the Internet.  Although software and hardware tools are available to help, as always, the real work comes down to people.

Topics: Servers, Hardware, Social Enterprise

Christopher Dawson

About Christopher Dawson

Chris Dawson is a freelance writer, consultant, and policy advocate with 20 years of experience in education, technology, and the intersection of the two.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • We use to get in trouble for chewing gum

    Here's a better solution. You get caught using MySpace or any forbidden website, you get sent to the office and you spend the entire day cleaning up the bathrooms and campus and forget about the union rules protecting certain cleanup jobs. You can't ever stop the Internet short of cutting off Internet Access or severely limiting access to a small white list of IP addresses. Attack the problem at the root and make the kids responsible for their actions.
    • I agree witrh you George!

      This is where comprehensive 'rights and responsibilities' policies WITH TEETH IN THEM can go a long way.
      M Wagner
    • The original title of this blog...

      was going to be "Why can't we just suspend the little rugrats?" - You're right. We need clear and decisive consequences for violating the clear policies I mentioned in the post.

    • Agreed, but the ACLU and seventeen other lawyers don't

      So unless you want to pay the bills, that one goes in the crapper where that kid ought to be.
  • A suggestion ...

    Chris, you mentioned some kids using their computers at home as proxy servers. More likely than not, there are only a handful of broadband and DSL providers available to the homes in your district. Can you block a range of IP numbers? So that you could block all of your students from accessing your local cable company's assigned IP numbers? This might at least help a little.
    M Wagner
    • Great idea, Marc...

  • The grey area

    I run a few proxies and am sometimes (always) working against people like you. I'm going to throw you a sympathetic bone. If you look carefully you will see that almost every single proxy uses one of two popular scripts. This is the only reason it is easy for anyone to set one up at home. If you filter the well-developed and very common scripts I think you will find that very very few will be able to create their own.

    Can you only block by domain or can you also scan URLs for strings? If you can scan for strings then I know how you can defeat the very simple 3-possibility encoding of PHProxy []. The other popular script is CGI-proxy. Go figure!

    Do you block changes to the "Tools" -> "Internet Options" -> "Connections" -> "Settings "-> "Proxy" section?

    Help me help you help me. :)