Question

  • Creator
    Topic
  • #2155273

    How to disable the Internet access for any or specific applications?

    Locked

    by alex ·

    I am looking for a way to disable the Internet access in 2003 active directory for specific users, computer or a container with Group Policy or other way, but without any additional software. The users should be able to access domain wide resources but not the internet resources. Any software that installed on a PC includ but not limited to IE, Windows Explorer, Firefox, Opera, Yahoo, MSN, ICQ, and other messagers. Any sugesstions?

All Answers

  • Author
    Replies
    • #2978445

      Clarifications

      by alex ·

      In reply to How to disable the Internet access for any or specific applications?

      Clarifications

    • #2978437

      You ask the impossible

      by cmiller5400 ·

      In reply to How to disable the Internet access for any or specific applications?

      If you want to disable the internet for users you must install software somewhere to do this.

      One way would be a proxy server to process the internet requests. If you don’t have the proxy server specified in IE, you don’t get out.

      Edit: either not supposta’ be there.

      • #2978425

        Cmiller speaks the truth

        by robo_dev ·

        In reply to You ask the impossible

        In a larger enterprise, WebSense is a very good proxy.

        I’m a big fan of Rhinosoft AllergroSurf since it is very low cost, yet integrates with Windows login and is very full featured. Have set it up for home, small office, and education users.

    • #2978384

      Not for specific applications

      by rob miners ·

      In reply to How to disable the Internet access for any or specific applications?

      Restrict user to access the internet from Windows Server 2003 Ent. ..
      In Active Directory Users and Computers create a Security Group in Security Group NoIe.

      Right mouse click on the Domain Name and make an Organisational Unit named NoIe. Right mouse click on it and select Group Policy click on Open.

      Right mouse click on Group Policy Objects select New and type in NoIe.

      Right mouse click on NoIe and select Edit.

      Navigate to User Configuration \Windows Settings \Internet Explorer Maintenance \Connection \Proxy Settings.

      Set all instances of proxies to “127.0.0.1” or any non-valid proxy address.

      Navigate to User Configuration \Administrative templates \Windows Components \Internet Explorer \Internet Control Panel and disable the Pages that you do not want the User to access especially the Connections Page.

      Close the Editor.

      Right mouse click on the NoIe Organisational Unit and select Link an Existing GPO and select NoIe.

      Add the Users that you do not want to access the Internet to the Security Group NoIe.

      Add the Users that you do not want to access the Internet to the Organisational Unit NoIe.

      Left mouse click on Start and select Run

      Type in gpupdate /force and select OK.

      When it has finished updating press n.

      Works with XP and Vista

      Another alternative

      Configuring Clients to Proxy using Group Policy or Login Script

      http://www.stbernard.com/ip4kb/iPrism/Networking/Sessions-Clients/Browsers/IP0346.htm

      ————- copy below this line ———————-
      Windows Registry Editor Version 5.00

      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      “ProxyEnable”=dword:00000000
      “ProxyServer”=”127.0.0.1”
      “ProxyOverride”=”

      [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
      “ConnectionsTab”=dword:00000000

      ————- copy above this line including the blank line ———————-

      Standard users can not change proxy settings after Internet Explorer 7 installation.

      http://support.microsoft.com/default.aspx/kb/555850

      • #2987853

        This is only works for the Internet exploere

        by alex ·

        In reply to Not for specific applications

        If I have Firefox or Opera installed (and I do)this GPO would not effect other brousers and aolso would not effect some instant messangers.

    • #2978352

      Block it at your firewall

      by jdclyde ·

      In reply to How to disable the Internet access for any or specific applications?

      You can do this a few ways.

      Block all traffic and then only allow certain traffic from certain systems to go out, would work, and depending on your firewall, would be fairly easy to do.

      Of course, keep in mind Windows updates and AV updates.

      • #2987849

        But firewall can only work with computers

        by alex ·

        In reply to Block it at your firewall

        I need user based control

        • #2987843

          I’ve got an idea, let me know if it worth to try.

          by alex ·

          In reply to But firewall can only work with computers

          1. Enable WINS on the server.
          2. Restrict users from changing network settings
          3. Create a logon and log off scripts and assign to the container through GP, where log on script would take off DNS and logoff script would put it back on.

          My question is: will WINS be able to handle all AD 2003 communication?

          If you have any other suggestions please let me know. I do not really want to use any third party software or hardware to handle this problem.

          Thanks everybody who committed to my question!

    • #2987842

      I’ve got an idea, let me know if it worth to try.

      by alex ·

      In reply to How to disable the Internet access for any or specific applications?

      1. Enable WINS on the server.
      2. Restrict users from changing network settings
      3. Create a logon and log off scripts and assign to the container through GP, where log on script would take off DNS and logoff script would put it back on.

      • #2971764

        May not work.

        by cmiller5400 ·

        In reply to I’ve got an idea, let me know if it worth to try.

        WINS may not take care of all DNS requests. They operate on different ports (WINS uses port 137, DNS uses port 53) so anything that does a DNS lookup by port will fail.

        Besides, wouldn’t it be easier to set up a GPO that points to a bogus proxy server and check the “bypass proxy server for local addresses” be easier?

        • #2971746

          I hate to repeat meyself but….proxy proxy proxy

          by robo_dev ·

          In reply to May not work.

          A proxy server of any type is soooo much easier.

          Beyond controlling/restricting web access or application access, these help to prevent malware since proxies like WebSense get their blocking list updated as often as once a minute, and they have 50 million data collectors to catch and block sites that host malware or viruses.

          I’ve worked with both WebSense Enterprise and Websense Express..both good products. Plus it logs everything.

          For those on a budget, there is RhinoSoft AllegroSurf at between $10-$20 a seat (I use that at home).

          Even cheaper (free) is Squid with the DansGuardian add-on (also free).

        • #2987983

          I know we sound like a broken record…

          by cmiller5400 ·

          In reply to I hate to repeat meyself but….proxy proxy proxy

          But sometimes you need to spend $$ to do something right.

Viewing 4 reply threads