Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Block Internet via GP by Computer
- Thread starter PU36
- Start date
If IE is your browser then you need to create a software restriction policy blocking the executable from launching
Drill down: Computer Configuration -> Windows Settings -> Security Settings -> Software Restrictions -> Additional Rules
Create a new Hash or Path rule, With a Hash rule you will browse to the executable, for example C:\Program Files\Internet Explorer\iexplore.exe and set the security level to Disallowed. This will add the software hash as the rule so even if a user copies the exe and renames it the file will not run.
With the path rule, anything in the specified directory is off limits and cannot be run.
This works the same for any other browser or application. You will need to create an OU and add your workstations that you do not want to have internet access to that OU and link the policy there along with any other standard policies you have.
"I'm certifiable, not certified. It just means my answers are from experience...not a book
Drill down: Computer Configuration -> Windows Settings -> Security Settings -> Software Restrictions -> Additional Rules
Create a new Hash or Path rule, With a Hash rule you will browse to the executable, for example C:\Program Files\Internet Explorer\iexplore.exe and set the security level to Disallowed. This will add the software hash as the rule so even if a user copies the exe and renames it the file will not run.
With the path rule, anything in the specified directory is off limits and cannot be run.
This works the same for any other browser or application. You will need to create an OU and add your workstations that you do not want to have internet access to that OU and link the policy there along with any other standard policies you have.
"I'm certifiable, not certified. It just means my answers are from experience...not a book
In addition to drew's post - you could also
1. Block access to the ineternet from those PC's on your firewall. This would involve giving them static IP addresses or creating reservations on your DHCP server so that the PC's always have the same name
2. Deny all users permissions to the C:\Program Files\Internet Explorer folder - that way they can't even open it. Although drew's suggestions about software restriction policies are good, the problem with path rules is that users can copy the executibe to somewhere else to get around the rule. And the problem with hash rules is that the file hash can change if the file is updated.
Just thought I'd add my $0.02 for what it's worth !!
Good Luck
Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
1. Block access to the ineternet from those PC's on your firewall. This would involve giving them static IP addresses or creating reservations on your DHCP server so that the PC's always have the same name
2. Deny all users permissions to the C:\Program Files\Internet Explorer folder - that way they can't even open it. Although drew's suggestions about software restriction policies are good, the problem with path rules is that users can copy the executibe to somewhere else to get around the rule. And the problem with hash rules is that the file hash can change if the file is updated.
Just thought I'd add my $0.02 for what it's worth !!
Good Luck
Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
There may be better solutions outside of Windows (dare I say that?!). Depending on your infrastructure......
However, there are some things that you can also consider, in addition to the excellent ideas above.
1. If the target machines are not in a routed network (they're in a single subnet), create DHCP reservations for them without gateway settings, and use a GPO to keep them from editing the network settings.
2. Use a GPO to configure a non existent proxy server.
Pat Richard
Microsoft Exchange MVP
However, there are some things that you can also consider, in addition to the excellent ideas above.
1. If the target machines are not in a routed network (they're in a single subnet), create DHCP reservations for them without gateway settings, and use a GPO to keep them from editing the network settings.
2. Use a GPO to configure a non existent proxy server.
Pat Richard
Microsoft Exchange MVP
Remove the internet explorer icon altogether by using a policy
this is by user though, you said you wanted to do it by computer, but this does the trick.
You may need to go as far as hiding your system drive from the users if you think they're savvy enough to find the exe for launching internet explorer
this is by user though, you said you wanted to do it by computer, but this does the trick.
You may need to go as far as hiding your system drive from the users if you think they're savvy enough to find the exe for launching internet explorer
- Thread starter
- #6
Thanks for all your input. What I ended up using was a program that I found here;
It allows you to still have access to the browser and navigate our intranet sites and any other sites that we place in the "allow" field.
The whole process in controlled through a single GPO at the domain level. I created the GPO, changed the "Apply to" permissions to a group, added the computers I wanted to lock down to that group and done. The next time they reboot they can only access those sites.
It allows you to still have access to the browser and navigate our intranet sites and any other sites that we place in the "allow" field.
The whole process in controlled through a single GPO at the domain level. I created the GPO, changed the "Apply to" permissions to a group, added the computers I wanted to lock down to that group and done. The next time they reboot they can only access those sites.
- Status
Similar threads
- Locked
- Question
- Locked
- Question