AD in Win2K3 SBS – Group Policy Question

Tags:
Active Directory
DataCenter
Desktop security
DNS
Ethernet
Exchange 2003
Graphical User Interfaces
Hardware
Microsoft Exchange
Microsoft Windows
Networking
Outlook
Policies
Servers
TCP
Tech support
Vendor support
Windows
Windows client administration and maintenance
Windows Server 2003
Windows XP
Win2K3 SBS network; several remote sites all connected via VPN (Cisco PIX); all is working fine now, TS for Corporate App, Exchange and Outlook 2K3 for email etc. WE tried to setup ISA 2004 at Corporate, but not knowing it well as well as time contraint is keeping us from the task of limiting and deny Internet (IE) access to a certain group of users while aloowing another group complete access. I need help in getting information on setting up the Group Policy for this. With the way the VPN is setup ISA 2004 would be a complete overhaul of the current infrastructure and at this time cost is an issue. Can anyone point me in the right direction or knows someone who has done this type of GP configuration. All clients are WinXP Pro SP2. Sorry if this is redundant, but i need to try to resolve this asap.

Answer Wiki

Thanks. We'll let you know when a new response is added.

If you simply don’t want them to be able to browse using IE, create a separate OU and put the specific users under that OU. Set the GPO to use a bogus proxy server/port and the users will not be able to change it. That solves the problem until you get your funding for ISA Server.

If you want to allow them access via IE to certain locations, consider getting a squid server (free, server costs only) setup to allow certain IPs or users (with authentication) to limited browsing while letting others browse anywhere.

SF

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • RichardDoe
    Just a thought, but couldn't you simply set up an Access Control List in the pix to block those users from connecting over port 80.
    0 pointsBadges:
    report
  • Byrd88101
    with XP/SP2, it has a Policy Setting called Restrict Internet communication, which will restrict all Internet Communication. This MIGHT be more heavy-handed than what you are after. But, give it a shot. It will be found in Administrative Templates | System | Internet Communication Management. You might also try control via Internet Zones. Check out: http://support.microsoft.com/default.aspx?scid=kb;en-us;182569 for more assistance
    0 pointsBadges:
    report
  • Delebute2004
    SF, Thanks for the reply; we want to block certain users from browsing and the new OU; using a proxy to get them to nowhere would work; I just do not have any experience trying it. Do you have any white papers or notes on the setup? ISA Server will not be in the cards as we have a current investment in the Cisco PIX's; and IP Phones and gateways and with all the remote sites; using ISA would really get expensive. In response to the PIX access-list; we want to centralize the management; having the access-list on the PIX would entail setting up users all over the remote locations (12 of them) it would be a management nightmare.
    0 pointsBadges:
    report
  • Sonyfreek
    You don't have to use a legitimate proxy in the GPO. Create you OU (Let's call it "BlockedUsers" anywhere in your AD structure. Put the users you don't want to use IE in that OU (right click them and hit move, select the "BlockedUsers" OU). Then right click on the BlockedUsers OU and then select Group Policy. Click on the New button - give it a name like "BlockBrowsing." Edit the GPO and select User Configuration | Windows Settings | Internet Explorer Maintenance | Connection | Proxy Settings. Change it to a bogus IP and port, like 10.255.255.255 8080. As long as that IP and port doesn't exist, those users will effectively be blocked from using IE. No matter if they "remove" the setting in IE, they will still use the proxy server. You could get more restrictive in your policy and prevent them from viewing the connection tab... This doesn't stop Mozilla or other browsers, but the basic problem stated IE. If you want to set up a squid server, it's a bit more involved. I recommend that you check out the squid site at: http://www.squid-cache.org/. There is a pretty good configuration page there. Essentially, you can block using squid on IP Range, host IP, username if you use authentication, etc. You can allow certain users to get to certain sites... All of that information is in the users guide or you could query newsgroups for how to set it up. Hope this helps. SF
    0 pointsBadges:
    report
  • Sonyfreek
    You don't have to use a legitimate proxy in the GPO. Create you OU (Let's call it "BlockedUsers" anywhere in your AD structure. Put the users you don't want to use IE in that OU (right click them and hit move, select the "BlockedUsers" OU). Then right click on the BlockedUsers OU and then select Group Policy. Click on the New button - give it a name like "BlockBrowsing." Edit the GPO and select User Configuration | Windows Settings | Internet Explorer Maintenance | Connection | Proxy Settings. Change it to a bogus IP and port, like 10.255.255.255 8080. As long as that IP and port doesn't exist, those users will effectively be blocked from using IE. No matter if they "remove" the setting in IE, they will still use the proxy server. You could get more restrictive in your policy and prevent them from viewing the connection tab... This doesn't stop Mozilla or other browsers, but the basic problem stated IE. If you want to set up a squid server, it's a bit more involved. I recommend that you check out the squid site at: http://www.squid-cache.org/. There is a pretty good configuration page there. Essentially, you can block using squid on IP Range, host IP, username if you use authentication, etc. You can allow certain users to get to certain sites... All of that information is in the users guide or you could query newsgroups for how to set it up. Hope this helps. SF
    0 pointsBadges:
    report
  • JohnBF
    As noted in a previous answer it is only possible to control the use of Internet Explorer in this way, you would need to check that none of the restricted users have third party browsers such as Firefox or Opera (and remove their ability to install them).
    60 pointsBadges:
    report
  • Delebute2004
    Thanks for all the replies. we are getting ready to implement the new OU and proxy IP address. Concerning the users ability to install third party browsers has been resolved from day one. none of these users have the ability install any software or hardware. I will post our results of the suggestions from SF in about a week or two.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following