block certain user of internet access 2

[xmario2013]

Hi All:

We have about half of the people in the company not suppose to have Internet access from their desktop, currently the access depend on their desktop TCP/IP setting per desktop, which is easy to forget when it comes time users need to swapping computers

we recently upgraded NT domain to 2003 AD in the mixed mode, We would like to set up a GPO or some kind of enterprise-wide rule that can restrict the access depending on which they login as, thus determine if it will block port 80 and other ports

is it possible ?

Thanks
XM

 

[markdmac]

Create a GPO that assigns a Proxy server. Set the proxy to a FAKE proxy location. Make sure you check to bypass proxy for local sites. Use the same GPO to prevent the user from changing the proxy info. Assign the proxy to the No Internet users.

When these users try to go out on the Internet their machine won't find it because it can't find the proxy. It will still work for local dites if you have an intranet.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[ajeab]

I don't know how your user connect to the internet. If you use proxy server, you can create a group call internet access(or something) and give permission to that group in proxy server. If user not in that group, proxy server will denied access.

 

[xmario2013]

we dont have a proxy server, just via router, who ever got the correct DNS to hit the router/firewall, then that machine can go out to the internet, is there any way to setup in the Internet Exploer or block certain port in the pocket filtering in each workstation ?

XM

 

[wdoellefeld]

markdmac gave you the best answer. Same method I have used in the past.

If you want to walk around to each workstation and put a fake proxy in IE instead of doing it via GPO I guess that's an option.

FRCP

http://www.frcp.net

 

[xmario2013]

what if we have some people still using NT workstation ?
will the GPO get through them ?

Thanks

 

[xmario2013]

one question also, will this method also stop people from using FTP, telnet or other Internet related services or just the HTTP ?

Thanks

 

[wdoellefeld]

If it is NT 4.0 your fine but anything earlier will need the patch for AD located on the CD.

FRCP

http://www.frcp.net

 

[markdmac]

NT4 will also need the DSClient software to be installed. Even with DSClient, AD support on NT4 is VERY limited.

I would strongly suggest you retire these machines.

In answer to the question on FTP or telnet, no this would not block that access if the user were to use the command line. FTP via IE would be blocked.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[wdoellefeld]

Thanks for the correction markdmac, your right. Dang thats twice this week I think.

FRCP

http://www.frcp.net

 

[iLinkTech]

A thought on CLI-based FTP / telnet - if practical, block command prompt access for those users as well (can be done via GP).

You could also add these users to a group that you then deny access to the FTP and telnet programs (change permissions on these files w/ CACLS / XCACLS from a startup script).

 

[markdmac]

That is correct, you could do additional lockdowns to achieve that goal.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[hdeassis]

great info