Block IE or Internet access with group policy

pts.
Tags:
Compliance
CRM
DataCenter
Disaster Recovery
Microsoft Windows
Networking
Policies
Risk management
Security
Security Program Management
Is there any way to block Internet access with group policy? I am setting permissions for some of the machines locally to only allow certain users access to the IE executable, but that is a pain in the butt. I have: Win2k3 single domain with 2 DC's approx 50 XP Pro workstations. I'm guessing this question has been asked/answered before but I couldn't locate anything. Thanks to all of you who contribute....everyone sticking together is awesome.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Yes there are Group Policy entries that will prohibit specified applications from running. You can disable IEXPLORE for specific logon groups. However if they can login to the local machine ‘Group Policy’ won’t work.

If you disable IE and they install another browser they still have ‘Internet’ access.

A better solution is gateway/firewall rules. Put the restricted employees on one subnet and block ports 80 and 443. The other employess still have access and the restricted employees can only get internal web pages.

Discuss This Question: 11  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Netsecadmin
    You do not mention the Internet firewall being used. If it is an ISA and it is a member server, you can block based on username, computer, or networks If you want to block per user, you could set the IE proxy to a device that will not proxy the traffic, and set client to bypass for internal networks.
    0 pointsBadges:
    report
  • HumbleNetAdmin
    How I block specific users access to the Internet using GPO, this mostly applies to terminal services clients on my network, however is used for some internal clients as well. Create a Organizational Unit (OU) such as "No Internet" or what ever you like, specificaly for the clients. Create a GPO with the same name and link it to the OU. In the GPO, edit the Proxy Settings under /User Configuration/Windows Settings/Internet Explorer Maintenance/Connection Set the proxy server IP address and port to a non-existing proxy server. I use the default gateway for my network (IP to my firewall), and then check "Use The Same Proxy Server for all Addresses". After doing this, move the AD clients to the OU unit you created and have them log off and back on. This will effectively block Internet browsing. I am not sure weather or not it will work for other Browser applications such as Netscape or not, but it does work for IE. If you find that it does not work for clients that are using Netscape or other browser, you may be to able block the execution of that specific brower executable by editing "Dont Run Specified Windows Applications" Under; /User Configuration/Administrative Templates/System/ Good luck The HumbleNetAdmin
    0 pointsBadges:
    report
  • TheVyrys
    Thank you all so much.... I have created the OU and GPO as mentioned by Humble. It works great and I want to add the following: To keep Local Administrators from changing the proxy server settings after the group policy is applied, you can enable the 'User config/admin templates/windows components/internet explorer/disable changing proxy settings' this grays out the option. Or you can disable the entire connection page, or more if you want. There is one small problem: when I remove users from the 'no internet' OU, the computer retains the settings of the "use a proxy server". I have to manually clear the checkbox in order to get the user back online. Is there anyway to specify to clear the checkbox...I looked and couldn't find a setting any where. Thanks again!
    0 pointsBadges:
    report
  • Delebute2004
    i am a bit confused as we have tried to do the same thing creating a new OU and GPO, but when i login with a user that is moved into this OU (called BlockedUsers) via terminal services and the users can still browse the internet?? what troubleshooting steps do i need to look at to resolve this issue? when we run GPResult on the client ID, we see the GPO is enabled but still not working. if someone can contact me directly offline i can send the .msc from the user i am testing as well as a screen pop of the GPO structure. delebute@dtechnetworkingservices.com
    0 pointsBadges:
    report
  • HumbleNetAdmin
    After you change the settings in the GPO they will adventualy update the client, or you could have the client log off and log back on for an immediate change. A little note, these setting in the GPO only applies to IE and not to Firefox, so probably other browsers as well. I tested blocking firefox.exe in GPO as mnetioned above and that works as well. Yes GPO's are a very powerful tool! Just one precautionary note when setting GPO settings for "Computer Configuration" settings. Some of these settings do not reverse when you change the GPO setting back. You have to actualy change it back in the client computers local GPO. Not a biggy if only applies to a few computers, but a major nitemare if say it applies to 80 computers! Happy GPOing! :) The HumbleNetAdmin
    0 pointsBadges:
    report
  • TheVyrys
    Yes blocking the following helps: aol.exe firefox.exe netscape.exe or any other file that may execute a browser. One question I have is, could we just block iexplore.exe and not worry about the proxy settings?
    0 pointsBadges:
    report
  • HumbleNetAdmin
    Yea, you could, however I am not sure that would not create some issue for your clients PC. IE being intergrated into Windows the way that it is, something else may require it. Dont hold me to that though :)
    0 pointsBadges:
    report
  • TheVyrys
    You never know with M$... Other problems that may arise in the future would be if clients were trying to use IE to view .jpg's or internal web pages. I guess this all goes back to exactly what Howard2nd was saying in his reply. And NetsecAdmin's solution would work well also, but I do not have ISA. Thanks again for your replies and solutions. You guys are great. If any of you find a way to reset the 'use a proxy server' option, let me know....and I'll do the same.
    0 pointsBadges:
    report
  • Wisdom9
    The most common way I see people doing this is to use GPO to set a proxy server address that points to a non-existent proxy server, and then prevent the user from changing that. The best way is not via Group Policy, but through a proper proxy server like ISA server.
    0 pointsBadges:
    report
  • Retto1
    I had almost an identical situation. 2 DC's with Win2k and 45 PC's with XP. The domain users group is in the local power users on each client. Basically, users can do very little damage. I followed the steps listed below, and have had no issues yet. Give it a try, very easy and straight forward. Check it out. http://www.petri.co.il/block_web_browsing_with_ipsec.htm http://www.petri.co.il/configuring_ipsec_policies_through_gpo.htm I hope this helps.
    0 pointsBadges:
    report
  • TedRizzi
    Yes, group policy for xp and 2003 server have a user setting that lets you disallow specific programs for users, simple set that up and put those users in a specific OU. then apply that policy to that OU. or you can do this. create a user policy for IE connections. configure a dummy proxy, and remove everyone from the apply policy security setting.. create a group put those users in that group and them to the policies security group with apply policy set. when they try to launch IE,, it will fail because of the fake ip address you put in the proxy setting.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following