Deny access to web from Windows 2003 server

[outonalimb]

We are running terminal services on one Windows 2003 server and one Windows 2000 server to which multiple clients connect to over the internet.

However, we don't have a proxy server or any other device that can block access to 'dodgy' web sites if requested.

The problem we have is that people are surfing the 'net from the server and getting the server infected with spyware and other nasties as well as downloading inappropriate content.

Is there a way of denying http traffic from reaching the server? I just want to stop anyone surfing from these servers without it affecting the RDP traffic. I want to manually perform Windows Updates and anti-virus updates to the server amd get back some control.

Any help would be appreciated.

 

[itsp1965]

A couple of things you can try;
- Setup group policy to restrict access to IE
- Changing security settings on the internet explorer application and its folder to only allow administrators to run it.

Hope this helps.

 

[monsterjta]

You could create a policy that configures the Proxy Server setting for IE for your TS users, and disallow them from changing IE settings. The Proxy Settings would simply point to localhost. Hence, disabling internet browsing.

Along with this, you would need to configure Loopback Processing for your Terminal Servers so that your users will only get this IE policy only on TS boxes and not their regular workstations.

I prefer to change the Proxy Setting with VBScript rather than the native Proxy GPO, because I have found that the native policies are tricky and do not work as intended.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN