Another idea is simply to not allow users (assuming that you' re using WinXP) to be local administrators of their computers. That way, they are prevent from installing any software that you don' t want them to.

Make your users Limited Accounts. Some programs won' t run correctly under limited accounts, but if they run well under admin accounts, permissions on the Program Files folder and registry hives can be changed to allow Limited Accounts to write to these. Here' s another idea: http://www.winability.com/folderguard/restrict-downloads-ie.htm

I' m maybe wrong, but I think you didn' t choose the appropriate solution to block surfing. If I understand your config, you disable the internet access simply by browser proxy configuration. This is a poor locking system. IMHO It is more effective to allow only certain machine or user to access your proxy. For machine access control: e.g. you can fix the IP address of allowed machine and ensure that others cannot change their IP. After that, you can allow these machines by writing a firewall policy or probably on your proxy. Some proxies can even allow access based on MAC addresses. Ok, there are some tools to fake MAC, but I don' t think a simple " user" can do it. User access: e.g. you can write a policy on your fortigate asking authentication to access the proxy or some proxies can do authentication. The best is to combine both solution. HTH, Buzzy

Hi Prometejas, Ok, if I understand you, yours users use external proxies (not from your company) I suggest 2 solutions: 1) I understand that you use the FG as a transparent proxy and use its' content filtering. If you don' t, and you have a proxy device, set explicit proxy => require a proxy setting in your browser config and deny all internet accesses except for the proxy. That' s what we do in our company. 2) write an IPS rule to drop attempts to reach proxies of the intenet, it will more efficient than trying to block a specific browser. User ca change easily their " User-Agent" , but they probably do not have de knowlede to change the " Proxy-Connection" header send when a browser try to connect to a proxy server. Here is a snort rule to do it, you have to write it using the Fortinet syntax and apply it for all port not only 80. You can look at my previous post to help you (http://support.fortinet.com/forum/tm.asp?m=14492&p=1&tmode=1&smode=1) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:" BLEEDING-EDGE Policy Proxy Connection detected" ; flow:established; content:" Proxy-Connection" ; classtype:attempted-user; sid:2001449; rev:1;) OTH, Buzzy

What doesn' t work ? Writing the rule ? Detection ? By the way, in your rule I would add: " --flow from_client,established;"