Internet Lock uses the Global Protection Mode and Rules together to control internet programs and connections. You add one or multiple rules to permit, block or password-protect specific programs and connections. Connections that do not match any rule are controlled by the global protection mode.
Every internet connection is decided whether it should be permitted, blocked, or require a password, following these steps:
Connections that do not match any rule are controlled by the global protection mode, which can be set to:
Rules are checked in the exact order of how they appear in the list. The topmost rule is checked first, then the next one, and so on, until a matched rule is found; then the rest of the rules won't be checked anymore. The action in the matched rule is used to decide the final action of the connection.
Therefore, the order of rules matters. The topmost rule has the highest priority, and the bottom rule has the lowest priority. A newly created rule should normally be put on top of the list to ensure it takes effect.
A rule might be totally suppressed by another rule before it. For example, assuming you have the following rules:
When you use MS Edge to browse websites, connections created by MS Edge always match the first rule, so the second rule won't be reached. Therefore, MS Edge can access all websites even you have set the second rule to block it on all ports.
A rule has multiple attributes, such as app, ports, IP addresses, and users. Any attribute can be left empty to use the default setting. When an attribute is empty, it means "matching all"; if an attribute isn't empty, the rule will only affect the specified app, ports, IP addresses, or users.
The attributes are combined using AND logic. A connection must match ALL the non-empty attributes, in order to match the rule.
For example, considering the rule:
Only when MS Edge connects to HTTPS via port 443, it matches the rule. If another app (e.g., Firefox) connects to port 443, it doesn't match the rule. If MS Edge connects to HTTP via port 80, it doesn't match the rule.
On the other hand, because the rule has neither IP address nor user account specified, any user using MS Edge to access any website via port 443 (HTTPS) will match the rule.
You can use a rule to control one single internet program, or control a set of internet programs and connections.
To create a rule, click on the main window.
A rule has multiple attributes, such as app, ports, IP addresses, and users. See how attributes are used to match connections for how these attributes work together.
Every rule must have a name. The name isn't used for matching internet connections; it's used when displaying the rule in the rule list of the main program, and as a hint in the password dialog box. The rule name should be able to indicate the purpose of the rule, and you should update its name if necessary when editing an existing rule.
Action decides what to do when an Internet connection matches the rule: permit or block the connection, or show a password dialog box to ask for the password to continue.
If you chose action to be , you can click to set a separate password to this rule. The admin password is a master password and can always be used to permit password-protect rules.
A rule can be temporarily disabled by setting its action to be . A disabled rule won't match any connection. This is useful if you don't want to remove the rule because you may re-use it later.
For password protect rules, when asking for password, the internet program doesn't wait by pending the connection. The connection is blocked first, and then will be permitted after entering the correct password. Sometimes you may need to refresh the page to let it reconnect.
The full program path to be protected by this rule. By default, the app is empty, so the rule
will match all programs. You can click to choose a program, or
drag the target icon 
onto any window
to capture its program path.
You can specify one or multiple comma-separated ports and port ranges. If you leave the ports to be empty, this rule will match all ports. You can click to choose the ports of a well-known internet service.
You can specify one or multiple IP addresses, subnets, and IP ranges. If there is no any IP in this rule, it will match all IP addresses.
The IP addresses, subnets, and IP ranges can be IPv4 or IPv6. However, the start and end IP of an IP range must be in the same protocol; you can't mix IPv4 and IPv6 in an IP range. This IP page has examples for how to use subnets and IP ranges.
When adding IP addresses, you can click to use the tool to get IP addresses from a domain name, and add those IP addresses to the current rule. This is useful to control access to a specific website.
By default, a rule has no user/group account, so it will match all users. In other words, if a rule matches the connection by other attributes (app, ports, IP addresses), no matter which user establishes the connection (i.e., runs the internet program), it will match the rule. If you specified one or more user/group here, a connection established by users that are not in the user or group list won't match this rule.
Every rule can be configured to use the schedule option. By default, the schedule option of a rule is "Always", which means that the schedule is disabled and the rule is always enabled. You can use the schedule option to only enable the rule at the specified date (daily, weekly, or monthly) and hours.
The schedule of a rule is decided by date (every day for daily; days for weekly/monthly) and time (hours).
The schedule option is to enable or disable the rule at the specified time, not to permit or block the related connection. When the schedule is in a disabled hour, the rule is disabled like changing its action to <Rule Disabled>, and Internet Lock will ignore it. Therefore, multiple rules with the same attributes can be created with different schedule options, to achieve complex protection. See using multiple rules.
Using DST may lead to complications in schedule options, as even a limited user can enable or disable DST.
If your time zone currently observes DST, please configure the schedule options using standard time. For example, if 9:00 AM DST corresponds to 8:00 AM standard time, and you wish to enable a rule at 9:00 AM DST, you should choose the hour 8:00 AM instead.
You can enable internet time to prevent the schedule options from being bypassed by altering the system time. By using internet time, the schedule options will no longer rely on the system time; instead, they will use internet time, which cannot be altered as it is sourced from remote servers.
The basic usage of multiple rules, is to control different internet programs and connections in different ways, for example:
See how multiple rules work together for how multiple rules are used to match a connection.
Multiple rules can also be used to provide different protection for a subset, while controlling a set of programs and connections. Let's see some examples.
In the example above, all programs are blocked on ports 80 and 443, with one exception that the MS Edge (a subset of "all apps") is permitted.
In the example above, only the user account Administrator (a subset of "all users") can use MS Edge to access the Internet.
In the example above, the second rule doesn't have schedule enabled, which means it's always enabled. With those 2 rules, Firefox will only be permitted to access the Internet at 9:00 AM - 3:00 PM (a subset of "always").
In the example above, Firefox will be permitted when it accesses port 80 (a subset of "all ports"), or when it's used by Administrator (a subset of "all users").
Connections that are not controlled by any rule will be controlled by the global protection mode. By default, all other programs and connections are permitted because the default global protection mode is "Permit". To change it, you can click the button on the main window, then choose one of the menu item.
Global protection can't be set scheduling options, nor can it be set to "Password Protect". But there is a special kind of rule that can be used to achieve the goal of scheduling global protection -- the empty rules.
An empty rule is a rule that has no app, port, IP address, or user account. Since an empty attribute means "matching all", it's obvious that an empty rule matches all connections, just like the global protection mode.
Normally you shouldn't add an empty rule to the rule list, especially shouldn't add it to be on top of the list. If you do that, the empty rule matches all connections so that all rules below it are suppressed.
But you can use an empty rule with the schedule option, and put it at the bottom of the rule list, to schedule protection for connections that do not match other rules. For example (assuming the global protection mode is "Permit"):
Or, you can set the global protection mode to be "Block" and add a bottom empty rule to permit connections in scheduled times.
It's not recommended to use action "Password Protect" for empty rules, as it may ask for password too many times since all connections are affected.
The admin password is very important. It protects the main program and uninstaller -- without the correct admin password, none can change the settings you have made, or uninstall the software. It's also a master password for all "Password Protect" rules.
All protections will be useless if there is no admin password, because anyone can access the main program to remove those protections, or uninstall the software directly.
To set or change the admin password, click the Settings icon
on the main window, then select
.
Internet time is for schedule options of rules. It's designed to prevent bypassing protection by changing the system time.
Schedules are very useful for controlling internet programs and connections basing on date time, e.g., allowing web browsers only at 9:00 AM - 4:00 PM. But the system time can be changed by administrators so that the schedules can be bypassed. By using internet time, the schedule options no longer use the system time, instead they use the internet time which can't be changed because the time is obtained from the remote servers.
To enable internet time for schedule options, click the Settings icon
on the main window, then select
. You normally don't need to add or modify any time
server. It's enough to simply enable the option
.
If you don't enable the option, you can still add/remove/modify the timer servers, but internet time won't be used by schedule options.
To disable internet time, simply disable the option. There is no need to remove all time servers, and Internet Lock actually doesn't allow removing all servers. If you remove all servers, Internet Lock will automatically disable the internet time option and reset time servers to default.
To change advanced settings, click the Settings icon
on the main window,
then select . However, It is strongly advised to retain
the default values of these advanced settings unless you fully understand their implications and are
confident in making adjustments.
Internet Lock always protects outbound connections, which are those initiated by applications on the local computer, such as MS Edge connecting to a website.
By default, Internet Lock also protects inbound connections. Inbound connections refer to those initiated by remote endpoints, where programs on the local computer are awaiting connection from these remote sources.
If this option is disabled, when a local program is waiting for remote endpoints to connect, the connection will not be protected by Internet Lock, even if it matches a rule.
System programs are running in session 0 and are non-interactive, such as services.
By default, Internet Lock does not restrict access for system programs, allowing them to connect to the Internet without limitations. Enabling this option will extend protection to system programs by subjecting them to the rules and global protection mode.
To back up current configuration from Internet Lock:
InetLock.exe /backup path /pwd admin-password [noap]
To restore a configuration backup to Internet Lock:
InetLock.exe /restore path /pwd admin-password [noap] [noforce]
Backup and restore are done by using command-line switches. You will need the basic knowledge of using command-line prompt.
Internet Lock keeps an internal database of permitted and blocked programs, for those that match the "Password Protect" rules, so that they won't be asked for the password multiple times to bother you. An entry is automatically removed after the last instance of the related program exited, so that next time the program starts again, it will be asked for the password again.
If you want to clear the internal database, you can use the following command line switches:
InetLock.exe /reset /pwd admin-password
Once the internal database was cleared, the already permitted or blocked programs will be asked for passwords again.
If Internet Lock wasn't working correctly, you can try the following steps to fix it. You should check if it has been fixed after performing each step, and only continue if the problem is still there.
Note: due to the existing copy being in use, the setup program may display an error message indicating failure to write the main program file. In such cases, select "Ignore" to proceed with the installation.
Internet Lock is not free software. Before you purchase a license and activate your registration, it works in trial mode for evaluation purposes only, and it will stop working when the evaluation period expires.
If the software is useful to you, please purchase a license to support our work: Buy Now
Your registration will be generated and delivered to you via email immediately following the placement of your order. You may then input your registration into the software to convert it to the full (paid) version. No additional download or installation is required.
To enter your registration into the software, click the Help icon on the main window, then choose .