Blocking a user from internet

5 pts.
Exchange user permissions
SBS 2003
Hello I am have a problem, I am running windows sbs2003. I have about 50 people using computer at all times. I also have one that is on the internet most of the day. When i open IE it goes to our Intranet (companyweb page) this is not a problem but from here starts my question. I have one user with a roaming profile how can i let him/her use our Intranet but block him/her from the Interner ? This person spends to much company time playing on the net. Is this possible and if so can i get details on how to do this. Thank you

Answer Wiki

Thanks. We'll let you know when a new response is added.

As was touched on in the comments, use Windows Server 2003+’s group policy management to administer a phony proxy policy. In the policy, set the proxy address and port to something nonexistent, then tell it to bypass the proxy for certain addresses (your intranet). Also, as mentioned below, remove the connections tab in IE settings, or just disable the proxy settings which will cause them to be grayed out. Set the permissions on the policy so that this user is the only one who has access to apply the policy. We have a Server 2003 set up and have two usernames locked out this way. Whatever PC they go to they are blocked.

HTH, Koohiisan


This is a technical challenge for sure, but you have a personnel problem on your hands. They need to understand that in today’s economy there are a lot of other people who would like to have a job. If there is not enough real work for this person, then the company should let them go and help the bottom line. I think it is important to have this discussion with this person with HR, management and staff involved to understand the severity of the issue. In the meantime, you might be able to do a few things:

1. Does the person need access to any resources outside of the local LAN and is the intranet on the local LAN? If they do not access any resources outside of the LAN and the intranet is local, then remove the default gateway from their computer. You may need to modify the hosts file on the computer to get name resolution for the intranet, but any requests for services outside of the local network will fail.

2. If the situation is not covered by item 1, then things do get sticky. You may need additional technology to accomplish what you are saying such as a proxy server with authenticated access control. You have to ask yourself is it really worth this effort & cost for one employee. That goes back to the discussion you need to have with this individual that I suggested at the beginning of this post.

Further… Is this person that important. Warn them an fire them. Replace with someone that respects you as an employer.

Discuss This Question: 5  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Mnippo
    One way to prohibit folks from getting to the internet is to: 1) make sure they are NOT an administrator on their workstation 2) delete the default gateway in the IP address configuration No default gateway will not allow a user to communicate outside of the local LAN
    10 pointsBadges:
  • Denny Cherry
    One solution is to use software such as Interguard by Awareness Technologies. It allows you to block specific sites, or all sites allowing access to specific sites. As a note I do work for Awareness Technologies.
    69,055 pointsBadges:
  • Llpick
    If you are not using an ISA server or Proxy server or a firewall hardware device, then just go into their web browser and go to connections tab and add a fake proxy such as "blockdomains" put in port 80 and then select bypass for LAN. Then go to group policy editor and administrative templates under user configuration and under IE disable the connections tab. Actually it is done by checking the enable tab to disable the connections from being viewed.
    25 pointsBadges:
  • Robert Stewart
    All good suggestions, but first did the person sign an Acceptable Use Policy? Does your company have an Acceptable Use Policy for its IT equipment, all personnel should read and sign this policy, preferably during the hiring process . The policy should state what the company will and will not allow your IT assests to be used for. It should also state that the end user has no reasonable right to privacy on a IT assest owned by the company. This can save you some headaches if a termination notice is required for an abusive end user. I hope this helps you out.
    1,810 pointsBadges:
  • Spadasoe
    In internet options, set proxy to nonexistent address/port, check bypass proxy for intranet addresses.
    5,130 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: