Beginners RRAS or ICS question

I have a small business and would like to set up an area that currently has 5 (10 soon) XP home computers in it for tuitoring kids at our office. We have 1 Linksys router between the internet and our LAN. Would like to place an older win2000 server between this group and our LAN to completely seperate them. Finally the question, since the WAN NIC on the W2K server would be obtaining an IP in the 10.10.x.x range (from router) and the LAN NIC is using 192.168.1.x addresses, will this work?. Everything I've read so far states the WAN NIC has a direct connection to the internet.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Two things to consider here:

First… Where would the Windows 2000 system be connecting to? (Yeah, I ended a question with a preposition) Do you want the kids to have Internet access from a tutoring system? Are you intending for them to get access to courseware of some sort through the Win 2000 system? or from the Internet?

You’ve described a physical layout without describing the objective of the connection. Unless there’s a specific reason for this tutoring network to go anywhere, I’d recommend that it just stand alone. The most effective firewall is a connection that leads nowhere.

Secondly, I’d make a couple of really serious recommendations for the student workstations:
– Build a “master” O/S sample on a machine which students do NOT have access to
– Get an external hard drive of some sort. Type doesn’t matter as long as it’s got enough capacity to contain a complete “ghost” image of the basic O/S, applications, whatever’s on the system, since I know from experience that some bright kid is going to sabotage one or more of them at some point.
– Go to (Center for Internet Security) and get their benchmark tool (free) to lock down the configuration of your master system (The one from which the ghost image will be built).
– Consider using tweakui to further lock down the desktop. This tool is available at (NOTE: There are multiple versions of tweakui and they do NOT interoperate well among various O/S versions).
– Then “ghost” the created, secured image on to each student machine. That way if/when disaster strikes, all you have to do is “re-ghost” the target machine from your off-line master, change the name back to a unique one, and you’re back in business.

– From time to time, apply your patches to the master configuration, re-create the ghost image, and re-ghost the machines. That way, they STAY all in sync. Kinko’s, for example, re-images all their rental machines every night. You probably don’t need to go to that extreme, but that shows the value of being able to keep your machines clean.

This might sound like a lot of up-front work, but it will save you endless hours when something goes wrong.


Discuss This Question: 6  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Bobkberg
    Yes, you can lock out tweakui, but last time I tried that, I couldn't get it back either - and I was administrator! What I'd recommend instead is making sure that the disk format is NTFS, and using file permissions to lock out anyone but admin from using it. In fact - put it and other tools in a locked-down directory. Anything you're doing with Internet content blocking is going to be firewall or software dependent, so I've got no advice there, other than having eyes in the back of your head. But then, every parent knows that! Bob
    1,070 pointsBadges:
  • GVamos
    There are various proxy packages you could run on the server that can block access at certain times , to certain sites and from certain machines. Some of them are quite affordable.
    0 pointsBadges:
  • kmnair
    Talking about proxies, there is free windows proxy available. Go to They have an excellent free windows proxy. That should serve most of the points you are searhing for. But I have a vague and uneasy feeling that they may go commercial any moment with the kind of features the package has. kmnair
    10 pointsBadges:
  • Dolson
    You might try another solution for Internet access for your group. I'm not sure if your comfortible with Linux, but there is a distribution called IPCOP witch is designed to be a Firewall/Router/Gateway. There are also enhancements for this distribution that allow content filtering and stuff like that. IPCOP is also free and because it is linux based, is is not picked on as much as M$ machines are. It requires very little processing power, can run as proxy, provides DHCP addressing and frequently runs on old PC's that have been removed from service. Pentium 150/200 Mhz/Pentium II/Celeron will do just fine to run IPCOP. It is administered through SSL/Web Interface so you don't need to know linux to get it rolling. For Internet conectivity for groups, this is a great and secure way to go. Check it out at
    0 pointsBadges:
  • Boardinhank
    I imaginge you are using DSL of some kind and you should look at getting a static ip address with that, then you can actually set the static address that they give you to the WAN interface, and the WAN gateway will be the DSL router. This should be fine.
    60 pointsBadges:
  • Boardinhank
    Just a note, what ICS does is turn your 2000 server into a router for the other pc's, they use the ip of the 2000 server as their gateway and as long as the 2000 server has internet connectivity then their traffic will route just fine. You are not required to get the static ip even though for allot of things I like the static and recommend it.
    60 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: