Questions

How to disable the Internet access for any or specific applications?

+
0 Votes
Locked

How to disable the Internet access for any or specific applications?

alex
I am looking for a way to disable the Internet access in 2003 active directory for specific users, computer or a container with Group Policy or other way, but without any additional software. The users should be able to access domain wide resources but not the internet resources. Any software that installed on a PC includ but not limited to IE, Windows Explorer, Firefox, Opera, Yahoo, MSN, ICQ, and other messagers. Any sugesstions?
+
0 Votes
cmiller5400
Collapse -

If you want to disable the internet for users you must install software somewhere to do this.

One way would be a proxy server to process the internet requests. If you don't have the proxy server specified in IE, you don't get out.

Edit: either not supposta' be there.

+
0 Votes
robo_dev
Collapse -

In a larger enterprise, WebSense is a very good proxy.

I'm a big fan of Rhinosoft AllergroSurf since it is very low cost, yet integrates with Windows login and is very full featured. Have set it up for home, small office, and education users.

+
0 Votes
Jacky Howe
Collapse -

Restrict user to access the internet from Windows Server 2003 Ent. ..<br>
In Active Directory Users and Computers create a Security Group in Security Group NoIe.<br><br>

Right mouse click on the Domain Name and make an Organisational Unit named NoIe. Right mouse click on it and select Group Policy click on Open.
<br>
Right mouse click on Group Policy Objects select New and type in NoIe.
<br>
Right mouse click on NoIe and select Edit.
<br>
Navigate to User Configuration \Windows Settings \Internet Explorer Maintenance \Connection \Proxy Settings.
<br>
Set all instances of proxies to "127.0.0.1" or any non-valid proxy address.
<br>
Navigate to User Configuration \Administrative templates \Windows Components \Internet Explorer \Internet Control Panel and disable the Pages that you do not want the User to access especially the Connections Page.
<br>
Close the Editor.
<br><br>
Right mouse click on the NoIe Organisational Unit and select Link an Existing GPO and select NoIe.
<br>
Add the Users that you do not want to access the Internet to the Security Group NoIe.
<br>
Add the Users that you do not want to access the Internet to the Organisational Unit NoIe.
<br>
Left mouse click on Start and select Run
<br>
Type in gpupdate /force and select OK.
<br>
When it has finished updating press n.
<br>
Works with XP and Vista
<br>
Another alternative
<br>
Configuring Clients to Proxy using Group Policy or Login Script
<br><br>
http://www.stbernard.com/ip4kb/iPrism/Networking/Sessions-Clients/Browsers/IP0346.htm
<br><br>
------------- copy below this line ---------------------- <br>
Windows Registry Editor Version 5.00 <br><br>

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] <br>
"ProxyEnable"=dword:00000000 <br>
"ProxyServer"="127.0.0.1" <br>
"ProxyOverride"="<local>" <br>
<br>
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel] <br>
"ConnectionsTab"=dword:00000000 <br><br>

------------- copy above this line including the blank line ---------------------- <br>
<br><br>
Standard users can not change proxy settings after Internet Explorer 7 installation.
<br>
http://support.microsoft.com/default.aspx/kb/555850
</br>

+
0 Votes
alex
Collapse -

If I have Firefox or Opera installed (and I do)this GPO would not effect other brousers and aolso would not effect some instant messangers.

+
0 Votes
jdclyde
Collapse -

You can do this a few ways.

Block all traffic and then only allow certain traffic from certain systems to go out, would work, and depending on your firewall, would be fairly easy to do.

Of course, keep in mind Windows updates and AV updates.

+
0 Votes
alex
Collapse -

I need user based control

+
0 Votes
alex
Collapse -

1. Enable WINS on the server.
2. Restrict users from changing network settings
3. Create a logon and log off scripts and assign to the container through GP, where log on script would take off DNS and logoff script would put it back on.

My question is: will WINS be able to handle all AD 2003 communication?

If you have any other suggestions please let me know. I do not really want to use any third party software or hardware to handle this problem.

Thanks everybody who committed to my question!

+
0 Votes
alex
Collapse -

1. Enable WINS on the server.
2. Restrict users from changing network settings
3. Create a logon and log off scripts and assign to the container through GP, where log on script would take off DNS and logoff script would put it back on.

+
0 Votes
cmiller5400
Collapse -

WINS may not take care of all DNS requests. They operate on different ports (WINS uses port 137, DNS uses port 53) so anything that does a DNS lookup by port will fail.

Besides, wouldn't it be easier to set up a GPO that points to a bogus proxy server and check the "bypass proxy server for local addresses" be easier?

+
0 Votes
robo_dev
Collapse -

A proxy server of any type is soooo much easier.

Beyond controlling/restricting web access or application access, these help to prevent malware since proxies like WebSense get their blocking list updated as often as once a minute, and they have 50 million data collectors to catch and block sites that host malware or viruses.

I've worked with both WebSense Enterprise and Websense Express..both good products. Plus it logs everything.

For those on a budget, there is RhinoSoft AllegroSurf at between $10-$20 a seat (I use that at home).

Even cheaper (free) is Squid with the DansGuardian add-on (also free).