Question
-
CreatorTopic
-
January 7, 2009 at 10:54 am #2155273
How to disable the Internet access for any or specific applications?
Lockedby alex · about 15 years, 2 months ago
I am looking for a way to disable the Internet access in 2003 active directory for specific users, computer or a container with Group Policy or other way, but without any additional software. The users should be able to access domain wide resources but not the internet resources. Any software that installed on a PC includ but not limited to IE, Windows Explorer, Firefox, Opera, Yahoo, MSN, ICQ, and other messagers. Any sugesstions?
Topic is locked -
CreatorTopic
All Answers
-
AuthorReplies
-
-
January 7, 2009 at 10:54 am #2978445
Clarifications
by alex · about 15 years, 2 months ago
In reply to How to disable the Internet access for any or specific applications?
Clarifications
-
January 7, 2009 at 11:15 am #2978437
You ask the impossible
by cmiller5400 · about 15 years, 2 months ago
In reply to How to disable the Internet access for any or specific applications?
If you want to disable the internet for users you must install software somewhere to do this.
One way would be a proxy server to process the internet requests. If you don’t have the proxy server specified in IE, you don’t get out.
Edit: either not supposta’ be there.
-
January 7, 2009 at 11:27 am #2978425
Cmiller speaks the truth
by robo_dev · about 15 years, 2 months ago
In reply to You ask the impossible
In a larger enterprise, WebSense is a very good proxy.
I’m a big fan of Rhinosoft AllergroSurf since it is very low cost, yet integrates with Windows login and is very full featured. Have set it up for home, small office, and education users.
-
-
January 7, 2009 at 12:35 pm #2978384
Not for specific applications
by rob miners · about 15 years, 2 months ago
In reply to How to disable the Internet access for any or specific applications?
Restrict user to access the internet from Windows Server 2003 Ent. ..
In Active Directory Users and Computers create a Security Group in Security Group NoIe.Right mouse click on the Domain Name and make an Organisational Unit named NoIe. Right mouse click on it and select Group Policy click on Open.
Right mouse click on Group Policy Objects select New and type in NoIe.
Right mouse click on NoIe and select Edit.
Navigate to User Configuration \Windows Settings \Internet Explorer Maintenance \Connection \Proxy Settings.
Set all instances of proxies to “127.0.0.1” or any non-valid proxy address.
Navigate to User Configuration \Administrative templates \Windows Components \Internet Explorer \Internet Control Panel and disable the Pages that you do not want the User to access especially the Connections Page.
Close the Editor.Right mouse click on the NoIe Organisational Unit and select Link an Existing GPO and select NoIe.
Add the Users that you do not want to access the Internet to the Security Group NoIe.
Add the Users that you do not want to access the Internet to the Organisational Unit NoIe.
Left mouse click on Start and select Run
Type in gpupdate /force and select OK.
When it has finished updating press n.
Works with XP and Vista
Another alternative
Configuring Clients to Proxy using Group Policy or Login Scripthttp://www.stbernard.com/ip4kb/iPrism/Networking/Sessions-Clients/Browsers/IP0346.htm
————- copy below this line ———————-
Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“ProxyEnable”=dword:00000000
“ProxyServer”=”127.0.0.1”
“ProxyOverride”=”” [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
“ConnectionsTab”=dword:00000000————- copy above this line including the blank line ———————-
Standard users can not change proxy settings after Internet Explorer 7 installation.
http://support.microsoft.com/default.aspx/kb/555850
-
January 8, 2009 at 11:59 am #2987853
This is only works for the Internet exploere
by alex · about 15 years, 2 months ago
In reply to Not for specific applications
If I have Firefox or Opera installed (and I do)this GPO would not effect other brousers and aolso would not effect some instant messangers.
-
-
January 7, 2009 at 1:53 pm #2978352
Block it at your firewall
by jdclyde · about 15 years, 2 months ago
In reply to How to disable the Internet access for any or specific applications?
You can do this a few ways.
Block all traffic and then only allow certain traffic from certain systems to go out, would work, and depending on your firewall, would be fairly easy to do.
Of course, keep in mind Windows updates and AV updates.
-
January 8, 2009 at 12:08 pm #2987849
But firewall can only work with computers
by alex · about 15 years, 2 months ago
In reply to Block it at your firewall
I need user based control
-
January 8, 2009 at 12:17 pm #2987843
I’ve got an idea, let me know if it worth to try.
by alex · about 15 years, 2 months ago
In reply to But firewall can only work with computers
1. Enable WINS on the server.
2. Restrict users from changing network settings
3. Create a logon and log off scripts and assign to the container through GP, where log on script would take off DNS and logoff script would put it back on.My question is: will WINS be able to handle all AD 2003 communication?
If you have any other suggestions please let me know. I do not really want to use any third party software or hardware to handle this problem.
Thanks everybody who committed to my question!
-
-
-
January 8, 2009 at 12:20 pm #2987842
I’ve got an idea, let me know if it worth to try.
by alex · about 15 years, 2 months ago
In reply to How to disable the Internet access for any or specific applications?
1. Enable WINS on the server.
2. Restrict users from changing network settings
3. Create a logon and log off scripts and assign to the container through GP, where log on script would take off DNS and logoff script would put it back on.-
January 9, 2009 at 9:06 am #2971764
May not work.
by cmiller5400 · about 15 years, 2 months ago
In reply to I’ve got an idea, let me know if it worth to try.
WINS may not take care of all DNS requests. They operate on different ports (WINS uses port 137, DNS uses port 53) so anything that does a DNS lookup by port will fail.
Besides, wouldn’t it be easier to set up a GPO that points to a bogus proxy server and check the “bypass proxy server for local addresses” be easier?
-
January 9, 2009 at 9:28 am #2971746
I hate to repeat meyself but….proxy proxy proxy
by robo_dev · about 15 years, 2 months ago
In reply to May not work.
A proxy server of any type is soooo much easier.
Beyond controlling/restricting web access or application access, these help to prevent malware since proxies like WebSense get their blocking list updated as often as once a minute, and they have 50 million data collectors to catch and block sites that host malware or viruses.
I’ve worked with both WebSense Enterprise and Websense Express..both good products. Plus it logs everything.
For those on a budget, there is RhinoSoft AllegroSurf at between $10-$20 a seat (I use that at home).
Even cheaper (free) is Squid with the DansGuardian add-on (also free).
-
January 12, 2009 at 12:57 pm #2987983
I know we sound like a broken record…
by cmiller5400 · about 15 years, 2 months ago
In reply to I hate to repeat meyself but….proxy proxy proxy
But sometimes you need to spend $$ to do something right.
-
-
-
-
AuthorReplies