False positives in security logs due to Chrome advanced sync settings?

We noticed in our security logs that a user in our organization has been visiting a restricted site while on company equipment over the course of the last couple months.

We brought it up to the user who vehemently denied ever doing so on company-issued equipment. We showed him the logs and he reiterated his innocence. After looking through them, he proposed that the issue was due to Google Account sync settings via Chrome. The organization has Chrome installed and users are free to use it as they please. He conjectured it was because of the sync settings (Chrome syncs everything including browser history and open tabs). Whenever he was logged into both his personal computer and his work computer on Chrome, whatever he was doing on his personal computer was being pushed to Google and then synced to the work computer, leading the logs to have false positives that made it look like the user was doing so on the work computer.

He verified that he never did so as supported by the timestamps (they were always after hours and the never brought the machine home and access card logs can verify that the user was never on premises after hours. We trust that the user has never done it given all this.

The question is, is there a way we can definitely prove that the requests from his work computer during the supposed times that the web traffic was being synced are false positives? That the web requests were not being sent from the work computer as the source?

Also, knowing this, without enacting stricter security policies such as blocking logging into Google Accounts altogether, is there a way we can "fix" this or set a rule to filter out the real traffic from ones such as this? Thanks for any input.

Recent Questions...