Companies takes steps to curb online shopping during work hours.The holiday shopping season is in full force, and online retailers are expecting record sales this year. But what's good news for online retailers may not bode well for companies concerned about security, employee productivity and bandwidth consumption.Employees today do a lot of their online shopping on company time, using company systems. Retail association Shop.org and BizRate Research paired up on a study that estimates 37% of consumers will use Internet access at work to browse or buy gifts online this holiday season.To make sure shopping sprees at work don't become a problem, some companies use Internet monitoring software, which IT executives can configure to prohibit or limit employee access to shopping sites.The driver isn't only to curb unproductive employee habits. There also are security risks to consider. While picking out toys, electronics and apparel, employees can unwittingly be picking up spyware, adware and malware, such as Trojans and keystroke loggers.Users may be directed to an unfamiliar merchant via a search engine, and that merchant may not be trustworthy or adequately protected, says Jeff Smestuen, IT network manager at Blue Bell Creameries. "Users don't have control over what type of additional, unwanted content they may be downloading from that site," Smestuen says.Blue Bell limits how much time employees can spend on shopping sites, Smestuen says. The Brenham, Texas, ice-cream maker also blocks access to certain sites, such as eBay, because bidding tactics can distract employees for long periods, Smestuen says.The software behind Blue Bell's Internet policies is from Websense, which lets Blue Bell set quotas that place time limits on users' surfing. Quotas start at 60 minutes and go up, depending on users' roles. If a user reaches the daily time limit, the Websense software blocks further access to the restricted sites. Blue Bell doesn't limit the times of day users can shop online - such as allowing access to shopping sites only before and after business hours or during lunch - but the Websense software would allow it to if required."We don't do it to Big Brother the employees, we do it to conserve our resources," Smestuen says. "We start cranking down the sites from a security and a bandwidth perspective first, then productivity second."Communication criticalLately there's a trend among companies to do less blocking and more monitoring of sites that don't pose a direct security or legal threat, such as shopping sites, says Susan Larson, vice president of global threat analysis and research at SurfControl.Companies may block inappropriate content, such as pornography, but leave shopping, sports and travel sites accessible to users, Larson says. "The products have had to become more sophisticated to deal with all the various ways that network administrators want to work collaboratively with their own end users," she says.With this approach, end-user education is critical. Companies that regularly communicate with users and take the time to explain new threats as they emerge do well, she says."The idea is to work with users in a more collaborative fashion and not be quite so punitive immediately," Larson says. "The companies that work that way do the best, because they actually get the cooperation of their end users."Communication starts with a corporate acceptable-use policy. Richard Petty Driving Experience (RPDE) has employees sign its Internet and e-mail policy when they're hired, says Kevin Craig, IT director at the motor-sports entertainment company, which puts people behind the wheels of NASCAR-style stock cars.RPDE also has deployed monitoring software from SurfControl, which the Concord, N.C., company uses to limit the sites that call-center employees can visit. Employees working in RPDE's call center can access only those sites required to assist customers, such as the NASCAR site.RPDE doesn't block sites for the rest of the staff unless there's a security or legal threat. Users for the most part exercise good judgment and are respectful of the company's Internet use policies, Craig says. It helps that they know IT has tools in place to monitor where they go, if need be. "That does a very good job of deterring users from going to sites that aren't business-related during work hours," Craig says.United frontIT helped craft RPDE's Internet use policy, but the human resources department and executive committee presented it to employees when it was created. "It wasn't me coming off as policing the entire company, which makes my interaction with people a lot easier," Craig says.Blue Bell's Smestuen agrees that without a companywide policy endorsed by management and HR, IT can look like the only obstacle standing between employees and their shopping."It's really easy to be touted as the bad guy, being in IT and regulating where people can go and where they can't," Smestuen says.A healthy dose of reason also is important. For example, it may make sense to relax online shopping restrictions during the holiday season to avoid employees leaving the office during a lunch break to battle shopping mall congestion.Today's software offers flexible filtering policies that let companies easily modify quotas at different times of years, a tactic that can benefit users and companies, says Leo Cole, vice president of marketing at Websense."It's a benefit to me as a user to be able to do some shopping at the office. It's also a benefit to the company, because I don't have to be out of the office going from store to store," Cole says.