Discussion on:

Disable Internet access on a Windows PC

There are really only two answers you need.

1. Block both outgoing and incoming traffic for the client computer at the firewall. If it's networked, there should be an external firewall system, and you can block individual computers from there.

2. Remove all icons for web-related applications.

If the user is smart enough to get around the lack of icons on the desktop, in the Quicklaunch tray, and in the Start menu, he or she can certainly work his or her way around any other local controls (blocks to Internet access on the computer to be blocked). If that's the case, your only real option is to block it at the firewall (or router, NAT device, or other external server that can be thusly used).

Of course, you could always just unplug the network cable, I suppose.

Based on the replies you've gotten thus far, this is a much less sophisticated option, but for our small customers who wish to have some clients off the net our solution is twofold:

1. As mentioned before, remove all indications of Internet Explorer from the computer - go to the Control Panel and in Add/Remove choose the "Add/Remove Windows Components" option on the left pane and deselect Internet Explorer. (By the way, nosy users will still be able to browse the Internet by typing the URL in the Windows Explorer address bar, that's why there's step two)

2. Find on the web (or I can send a copy to you) "Noaccess.rat". This is an Internet Explorer ratings file that you can load in your "%SystemRoot%\System32" folder, then enable in the Internet Options section of Internet Explorer [TOOLS>>INTERNET OPTIONS] on the menu bar. Choose the "Content" tab at the top and select "Enable". There you will see the default rating scheme and the "Noaccess" scheme. If you are absolutely sure you want to do this, then remove the default scheme (the other .rat file in %SystemRoot%\System32) and configure your noaccess. Also see http://www.jsiinc.com/SUBG/TIP3100/rh3162.htm for detailed info.

Problem is this only works for IE, and I said, if a user is a little too smart for his/her britches then they'll probably just download firefox or load it from a CD.

The second part of the solution (I don't really care for the first one, it's to easy for a user to figure out) given by Zaferus is really the most ideal "set the Internet router to deny all port 80 traffic to the WAN from the IP address of the client PC you want to block."

Apotheon's thoughts are also very good but not suitable for small companies not using a firewall.

Any company with a network that doesn't use a firewall has much, much bigger problems than blocking Internet access for one computer.

I'm sure before long there will be volunteers banging down the door willing to remotely administer their network and put everything to rights...

Heh heh heh. Yeah, very much like that.

Wheee.

Ouch. Firewalls are relatively cheap these days for small companies, and the cost of not having one can almost be compared to the destruction of your company as you know it.....

If I ever had to deal with a company of any size who I learned did not have the sense to have a firewall, I would stop doing business with them, as if they cannot take certain basic precautions to protect their own assets, how can I trust them with mine, or trust that the products I am getting from them are reliable.

Not having a firewall is irresponsible.

I'm speechless.

A hardware firewall is an absolute must for a business. Insist on it. They're cheap...but getting hacked isn't.

Noone said there isn't a firewall. Let's not get our panties in a bunch over a hypothetical situation.

I don't know if you noticed, but pr0teus said "Apotheon's thoughts are also very good but not suitable for small companies not using a firewall." There have been a few responses to that. As far as I'm concerned, anyone responding to something like that with a very serious tone and an indication that a firewall is essentially mandatory is just doing good work.

Your comments were very good, and I did notice that pr)teus mentioned in passing not using a firewall. 5 posts extolling the virtues of a firewall after a comment made in passing seems excessive; especially since we all know that any size company should have a firewall in place. Good work: yes; overkill: absolutely.

That's probably the most interesting part of the thread, though.

Any small busines that can't afford a Linksys Cable/DSL router won't be in business long anyway.

http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=561

That's true, and not only because a black box firewall/router isn't much of an expense, but also because the kind of poor decision-making that leads a business with a network that must have Internet access to operate without a firewall will certainly tank the business given a little time. Such is life.

Nasty and crude, but: use one of the various auto-run utilities (you can find on download.com or tucows.com) and have it run this:
"ipconfig /release" on a periodic basis.
Some of these utilities have the ability to hide themselves from detection.
The command above will reset all the IP servers to 0.0.0.0 -- so if the user finds a work around for anything else suggested in this thread, it won't work for long.

This solution, as well as some of the others posted here, do not take into account the second part of this problem - maintaining access to the Server.

Does the technique of resetting IP servers to 0.0.0.0 suggested not also lose the required network connectivity.

Microsoft has a rating you can use called noaccess.rat and is activated through the Tools/Internet Options/Content area. It will block all outside Internet access in IE, but allow only Intranet access. I have customized our Company's Browser and include this file along with a couple other rating files that I can turn on and off whenever the need arises. If I turn on the No Access, I usually will also uncheck the box for allowing users to see site with no ratings under the General Tab just to be safe.

We are a small manufacturing business and have multiple users with their own userid logging the same PC. I limit the access to the IE browser by defining a NoIE group to the executable which has No Access permission. Users who are not permitted to access the Internet are included in the group. I am using the old NT security and not Active Directory since the server at this time is SBS 4.5. The same methodology is used for limiting e-mail usage to the Outlook executable.

I know this small LAN needs a firewall, but the Win SBS 2003 server uses a modem and dialup for Internet.

All the firewall hardwalls I see are only for DSL or CABLE connections. Is there an external firewall device for dialup?

Your firewall needs to be either physically or logically between the computers you want to protect and the modem that is connecting you to the Internet. This makes using an external firewall for dialup Internet access somewhat problematic. You may have to either build your own firewall and proxy server, and install the modem in that, or go with a software firewall.

Our Very Good Friend Red Wolf had it right. Linksys routers can be set up to dial the Internet on demand using Mr. Happy External Modem (you *do* remember those, don't you?). Something we T1/DSL/cable modem connected types should remember is that in Europe, they're still mostly dialup (you wouldn't believe what a simple ISDN line costs in Britain or Germany), so this is a legitimate question for nine tenths of the world. I'd set up the Win2K3 with the Linksys as its default router, and let it do its thing. Easy as 3.14159.... -- dw

I would indeed believe what ISDN costs over there. It was absurdly expensive out here, too, when people still actually wanted ISDN service. With the advent of DSL and cable broadband, though, the ISDN line was pretty much made obsolete in the US.

In fact, I'm pretty sure that, if you wanted ISDN for some reason, it would still cost a lot more than DSL or cable broadband.

It's a good thing there are others that know something about black box routers being able to run dialup through an external modem. I didn't know routers with that capability were still on the market. With the ubiquity and extremely cheap bandwidth available everywhere I do business, the only reasons I ever see a need for modems around here are for fax capability and direct dialing another server.

I realize this is a somewhat old thread as such things go but ...

There are many options that permit dialup operation. Many companies make products that have one or more serial ports for dial-up, leased line or ISDN access. These include Linksys, Netgear, USR, MultiTech, Alysys, 3Com, Cisco etc. Or you could "role your own".

I do not rely on a s/w solution for firewall protection. Many experts agree that a properly set up NAT router affords decent protection for the average user. Prior to a few months ago, I still had dial-up service. I used a 3com C510 to share my dial-up connection.
http://www.practicallynetworked.com/review.asp?pid=291
This unit is still available, if you look hard enough. Over the 4 years I used this setup, I never had ONE single instance of a virus, worm, or other problem.

Remove the ability to alter the internet options (apply this to the local policy if you have to) and then proxy them through a Squid box, making use of mac addresses or ips to place computers into groups and use the ACL rules to allow/deny them at will. Works very effectively here. With a hidden ident client or service you can then transparently log & ban given users without them being aware.

I have machines on the plant floor that I just gave static addresses and didn't specify any gateways or DNS. Adjust priviledges so they can't change these settings and they can still use shared printers and resources, but cannot get off of the network. This should be sufficient for the average user that has very little knowledge of how the network is put together.

Happy Holidays!

add an entry to the PC's hosts file pointing the proxy server to null
127.0.0.1 yourproxyserver

users do not have rights to edit the file.

How about this (it seems to work very well for me).
Edit the local group policy on the PC to dis-allow iexplore.exe from running, use 'Add/Remove Programs' to remove all access to Internet Explorer and move the shortcut to Windows Update from the '\Documents and Settings\All Users\Start Menu' to the desktop of the local administrator's profile.
All of my users are running as 'Restricted Users' (no user should even have 'Power User' rights), so this works very well.

Especially on 'KIOSK' type systems. We'll take an additonal step & just use NT security to put a no execute on Iexplore.exe.

In addition to this & all the other good ideas mentioned here you can apply this as your default domain policy & use the 'no override' option in group policy to keep those curious users productive as oposed to destructive.

As several of us have pointed out simply removing IE shortcuts is security by obscurity (subverted by clicking the start button, then Run and typing iexplore.exe).

Modifying execute rights is slightly more effective, but easily subverted by downloading and unzipping the FireFox zip file (not the .exe, the zip just extracts it does not run an installer).

Banning a single IP address in a DHCP environment is also not sufficient and a /release may acquire a new IP or a static IP within the scope could be manually configured.

They preferred method would be restriction by MAC address using some form of proxy and/or firewall. This too could be subverted (using a MAC address change App) although this is far beyond the normal user and even some IT techs.

Remember: If there is no corporate policy stipulating punishment for violating company Internet access policy (ie. subverting restrictions) this is all a mute point. You could always find your must egregious violator and make an example of him/her

Corporate employee policy is absolutely necessary for this (and plenty of other IT-related) issue(s). Enforcement in a cubicular environment obviously depends on a variety of factors.

A proxy-defining script is very attractive. I've met with good success with security by obscurity, not the least notable of which has been renaming Explorer.exe (&/or Netscape) and/or assigning appropriate rights to the file. You can also use your firewall/AV app to monitor downloads or iterations of alternate browsers.

The ultimate key is to train your users to respect (and not abuse) the power on their desktops. That's personal. And it requires signoff, plus self-enforcement by all management levels and individual personnel.

Thanks to Otis Rush for the above title (check it out or be poorer).

Covers a lot of info without being too wordy... I learned something too thx.

I've set up group policy to disable using internet Explorer and removed browse through explorer, but the user is now browsing through Outlook. Any settings that can be set on Outlook is impossible since we use an administrative install of Office

I don't know if you're aware of this, but access to external email requires Internet access. This means that Outlook can be used to perform a great many Internet-related tasks (because it's a huge steaming pile of bloatware with too many functions) that might be blocked through other applications. Most Microsoft software has this kind of unnecessary functional redundancy, making internal security controls very difficult to effectively implement.

Have you addressed the problem by blocking this particular client's Web use at the firewall? That's the most certain way to do it. If you block all Web traffic for this client, all Web traffic for the client system will be blocked, period. If the person in question should be allowed to access externally served email through Outlook, but no other Internet resources, you might consider blocking all ports for that user's system at the firewall except for those necessary for email access (port 110 is a popular/common example).

On the other hand, if you're setting network policy for your organization and someone is violating that policy willfully, you should probably look into assessing disciplinary action. Attempting to circumvent network security without permission is dishonest and just generally bad. It should definitely be addressed administratively, if that is an option.

I had exactly the same problems on our netwrok, certain individuals discovered they could bipass my efforts to stop web browsing by using Outlook. I couldn't find any way around this so for those people, I removed Outlook and installed Mozilla Thunderbird. It's a great free program from the 'Firefox' people, and will import all the messages and contacts from Outlook during install (obviously do this before removing Outlook!). The only limitation you might find for an office environment is its lack of a Calendar and the Appointments utilities, but if you just need a fast, clean email client, I can recommend it. Oh, and did I mention - no web browsing!

Check out the Mozilla project's current work on developing a calendar application to go along with Thunderbird. I intend to try that out.

Apotheon is correct,

Simply applying your GPO & even some of the other tips here without applying account restrictions does not deal with Domain Accounts with mail services.

In your case, I'd guess the easiest way would be to simply setup a domain local group for firewall users & that would end the surfing.

when I want keep the kids from spending the night on the net, I go to RUN>CMD>IPCONFIG/RELEASE to stop the browser. When I want to turn it back on, RUN>COM>IPCONFIG/RENEW

will they be affected by denying internet access?

Yes, along these lines, can just the browser be disabled but all update software still work? The updates I'd want to allow are Windows Updates and Norton. I'm not sure what ports (port 80?) these update softwares use.

Along these lines, I've seen numerous mentions to not give a user Power User or Admin access, however, in a low maintenance environment, I find that I have to allow this sort of access so that the Windows Updates are allowed and Norton Updates are allowed. In a small SOHO environment (peer to peer or one server), how can you allow these updates but still give the user limited privileges?

I haven't done much SOHO in the last 2 years, but the answer is in group policy.

If the users are dumb, killing iexplore.exe will do the trick. As previously mentioned by someone, it won't take most long to figure out Windows Explorer can be used to visit websites.

All I can say is gpedit.msc

Your situation is tough because your main hurdle is convincing the proprietor to kick down for XP SP2 on all his machines and getting at least one server and converting to Single Master Domain.

That's tough if the business owners are cheapskates...like the ones that won't kick down for a firewall.

I'm remembering something about using IPSec per-user to block access...it might be worth your while to look that up for use in small environments.

Yes. Windows Updates need port:80 and iexplore.exe to run correctly. If anyone knows a way around this, please, speak up. I've got 2 locations in 2 states and I have tried these options on a per-machine basis...something or someone is always hosed and I have to undo it.

I'd have to look it up (correct me if I'm wrong) but I believe SUS and WUS does too, so even if you update from an internal SUS server you'll hose it if you try many of the all-or-nothing solutions, as manually updating sux.

The new GPO's in WinXP SP2 are your friend this time, as they make it possible to cut off net access with exceptions (like Windows Update) or make it possible (with an AD Domain) to cut off whole groups of computers or lusers.

For instance: I want the forklift drivers to drive forklift, not download Sarah Michelle Gellar.
At the same time, I want to log in to the SAME machine and access eventid.net or techrepublic without having to undo what I did to allow myself access to the net and then have to redo it when I leave...that's a frikkin lot of work, dude!

That sort of carefully controlled environment is difficult to achieve with a Windows network. You could probably do it by segmenting the network and controlling traffic between network segments with a tiered Windows update deployment setup, so that individual machines aren't getting direct access to the Internet, and with a proxy server that grants access to some user accounts but not others (I think it'd have to be a non-Windows proxy server, like Squid on Linux, to work properly, though I'm not sure about that).

If you were running Linux systems, it would be much, much easier, since Linux (like any Unix) is an inherently multi-user system. All you would have to do is create user accounts with specifically tailored application access for the users that you don't want doing anything except what is directly required for their jobs. This sort of thing is sorta possible in a Windows network, but it tends to require jumping through a lot of hoops, tying OS configuration into knots, and a lot of server-side monkeying around.

I have had the same question and I think I may have found a solution. GFI LanGuard accomplishes this by scanning the network and nodes that sit on the network for vulnerabilities. This scan identifies missing patches and will actually download them for you. this creates a library of patches and fixes that the program can then roll out remotely. The only downside is that there needs to be someone on the other end to get the process rolling. The Software is relatively inexpensive too!

Though I'm not really a Mickeysoft fanatic (although being an 2003 admin currently, but also knowing my way arround U(Li)nux or Novell), I'd say: go for MS ISA server. It's tight integration with the AD makes it a breeze to administer. Add some GFI Download Security and you're the man.