Denying Internet Access to User on Network

pts.
Tags:
Access control
Biometrics
Browsers
Compliance
CRM
DataCenter
Desktop management applications
Desktops
Digital certificates
Disaster Recovery
filtering
Firewalls
Forensics
Identity & Access Management
Incident response
Intrusion management
Management
Microsoft Systems Management Server
Microsoft Windows
Network security
Networking
OS
Policies
provisioning
Risk management
Security
Security Program Management
Security tokens
Servers
Single sign-on
SQL Server
SSL/TLS
Systems management software
VPN
Web security
Wireless
I have a PC on our network that has more than one user. I know how to deny access to the PC itself, but I would like one user be able to access our network, but not the internet. The other user to access both. The server is running Win2003SBS, the PC is running WinXP. I am pretty sure this is possible, but don't know how to set it up. Do I do it through group policy? Do I need a script on the PC at startup? Do I need some kind of software? Any help with this will be greatly appreciated.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Do you want anyone to access the internet from this PC?
if not, you can set the permissions for iexplore.exe to allow only users you want.

mind you, if this is the case they won’t be able to view any html files at all, and they can’t use IE to view .jpg files either. Sometimes that is good, sometimes bad, depending on your situation.

Group policy will work, but you will need to put the user in an OU that has this policy set.
That is how I do it.

You can also get software, but you shouldn’t need it.

here are some instructions for group policy:

Create an Organizational Unit (OU) such as “NoInternet” or what ever you like, specifically for the clients. Create a GPO with the same name and link it to the OU.
In the GPO, edit the Proxy Settings under /User Configuration/Windows Settings/Internet Explorer Maintenance/Connection

Set the proxy server IP address and port to a non-existing proxy server. Some bogus address is fine, and then check “Use The Same Proxy Server for all Addresses”.

After doing this, move the AD clients to the OU unit you created and have them restart. This will effectively block Internet browsing. I am not sure weather or not it will work for other Browser applications such as Netscape or not, but it does work for IE.

If you find that it does not work for clients that are using Netscape or other browser, you may be to able block the execution of that specific brower executable by editing “Dont Run Specified Windows Applications” Under; /User Configuration/Administrative Templates/System/

To keep Local Administrators from changing the settings in IE back to not using a Proxy server: enable this setting in group policy–User config/admin templates/internet explorer/disable changing proxy settings

Hope this helps….V

Discuss This Question: 6  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • HumbleNetAdmin
    Setting the proxy server IP address to a non-existant proxy in Group Policy only applies to IE and will not stop access to the internet via lets say, Firefox. The HumbleNetAdmin
    0 pointsBadges:
    report
  • Amigus
    SBS 2003 premium addition comes with a bundled copy of ISA Server 2004 which is capable of doing authenticated network access by user, group, etc. You can set that up and put users allowed to access the internet in the SBS Internet users group and anyone not in that group will not be allowed to access the Internet.
    0 pointsBadges:
    report
  • Timbol
    Are you using a firewall? If so set up your allowed IPs and assign that PC a static IP that is out of the allowable range, thus blocking it from any outside access.
    0 pointsBadges:
    report
  • Solutions1
    I would infer from your question that the two users have pretty different roles and access privileges. You might consider "virtualizing" the PC - for example, use VMware to set up two virtual machines on the one physical PC. You then personalize each user's as if they were on separate physical machines.
    0 pointsBadges:
    report
  • Dwiebesick
    I would look at Microsoft's Shared Computer Toolkit for XP. This may not be usable for you but the process of locking down the computer will give you suggestions. http://www.microsoft.com/windowsxp/sharedaccess/default.mspx I use this toolkit for several situations and have found no problems. First, read the 107 page manual to get ideas for your computer. dmw
    2,235 pointsBadges:
    report
  • Guardian
    The internet user group would be suitable, in the event that you want to allow or disable any user to logon. But becareful of users who share passwords. Cause with the other users password they can logon. After changing the IE conection settings Regards Newton PS: That's SBS with ISA
    900 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following