louis-m wrote: if not using dhcp, set the dns etc on your windoze box. a limited user should not be able to change an network settings on the box./quote]

Thanks but I am trying to find a solution that will work even if the Windows user a/c is not limited so the firewall filtering sounds the way to go - I just need to get my head round it.

the only way i can see you doing what you want is to specify a filter that will only allow dns to a certain address.

louis-m wrote: the only way i can see you doing what you want is to specify a filter that will only allow dns to a certain address.

Accepted. I would appreciate some guidence for setting up such a filter on the 2910. To date I have only used simple router firewalls such as on the Netgear D834.

I do not find the manual of too much help. For example I do not understand whether my requirement needs to use the Call or the Data filter. What exactly is "initiating a call". Is a DNS request "initiating a call"?

Sorry Les, but from your original question, I'd have thought louis-m's suggestion about setting the OpenDNS servers on the router and letting the PCs pick this up from DHCP would seem to do precisely what you want (this is what I have done in my set-up) without very much complication.
Cheers
Simon

Agreed. That is what I have done. But I also want to ensure that no one can bypass the setting and use an alternative DNS.

I could achieve that via Windows security but that is not a route that is very practical in this case.

Using the firewall to stop all other DNS requests, if I can get it to work, would be the ideal.

I have tried to do it but it is not working yet.

what router do you have?

how much control do you want? eg just web browsing, ftp etc

under data filter:

1. create a "block if no further match" rule for port 53 to any address

2. create an ALLOW rule for requests on port 53 to 208.67.222.222 & 208.67.220.220

now, when a request comes in on 53 (dns), the router will drop the dns requests if they don't match the 2nd ALLOW rule.