How would I got about blocking users from seeing a public site (ie, the guest user profile)?
Could you allow all ranges of ip except theirs?
Is there a way to block by domain?
For clarification, this is a public-only, non-authenticated site, no login.
Salesforce provides some really good documentation on what is possible using the Public Access Settings for Force.com Sites:
- Set the object permissions for your site. You can grant “Read” and “Create” permissions on all standard objects except products, price books, and ideas; and “Read,” “Create,” “Edit,” and “Delete” on all custom objects. All permissions that aren’t set by default must be set manually.
We recommend setting the sharing to private for the objects on
which you grant “Read” access for your site. This ensures that users
accessing your site can view and edit only the data related to your
We also recommend securing the visibility of all list views. Set the
visibility of your list views to Visible to certain groups of users,
and specify the groups to share to. List views whose visibility is set
to Visible to all users may be visible to public users of your site.
To share a list view with public users, create a new public group for
those users and give them visibility. If the object’s sharing is set
to private, public users won’t be able to see those records,
regardless of list view visibility.
Control the visibility of custom apps. If you want to expose a custom app and its associated tabs to public users, make only that app visible and make it the default to avoid exposing other pages. If any of your site pages use standard Salesforce headers, other visible applications may be seen by public users.
Set the login hours during which users can access the site.
Restrict the IP address ranges from which you can access the site. Force.com sites ignore company-wide IP range restrictions in order to provide public access; however, you can restrict the IP range here.
To set restrictions based on IP or login hours, HTTPS is required. You
must use the secure URL associated with your Force.com domain to
access your site.
To enforce HTTPS on all Force.com sites pages and allow all IP
addresses to access your site, create the following IP ranges:
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff. However, as this may degrade
the performance of your site, don’t enforce HTTPS unless it is
absolutely required. Changing from HTTP to HTTPS doesn’t affect logged
in users until the next time they log in.
Both IP addresses in a range must be either IPv4 or IPv6. In ranges,
IPv4 addresses exist in the IPv4-mapped IPv6 address space
255.255.255.255. A range can’t include IP addresses inside of the
IPv4-mapped IPv6 address space if it also includes IP addresses
outside of the IPv4-mapped IPv6 address space. Ranges such as
::1:0:0:0are not allowed. You can set up IPv6 addresses in all organizations, but IPv6 is only
enabled for login in sandbox organizations from the Spring ’12 release
Enable Apex controllers and methods for your site. Controllers and methods that are already associated with your site’s Visualforce pages are enabled by default.
Enable Visualforce pages for your site. Changes made here are reflected on the Site Visualforce Pages related list on the Site Details page, and vice versa.