Disable Internet Access & External Email with Group Policies? 3

[kaoboda]

My CEO has recently handed down a request to disable Internet access (except to our website) and to disable the ability to receieve and send external email for a group of users here on campus.

I've read the Group Policy section in my Mastering Windows 2000 book and I've done a keyword search on here, but I have had no luck. Is what he is wanting me to do possible using group policies? If not, what do you recommend?

 

[WillShakespeare]

The Group Policy itself can't do what you want, but a firewall can, or proxy server. Essentially, if you can cordon off the group of workstations to be restricted, then connect them to a hub, and then connect a small server to the hub, multihomed to the rest of the network as is. Install Proxy Server, or MS ISA server, or some other cheap firewall solution (Linux springs to mind), you can customise it to handle the restrictions you mention. And this can be done without upsetting the rest of the network, or other workstations.
The Linux option you can do for free, but it will cost in time to learn (though not much time, as Linux is very easy to come to terms with). Plus you have the added advantage that it rarely needs attention once you have finished configuring the firewall/proxy settings.

Then, you can also set the Group policies of the domain to disallow changing the home page setting in IE, and set the home page top default to the page you want them to go to, and only have access to.

There may be an easier way... but as I have not done this, and am only going from personal knowledge, rather than practical knowledge, this is all I can offer...

But you definitely won't be able to do what you want using the Group Policy.

Will

 

[kaoboda]

Thanks for the quick response...

Unfortunately, I don't think the firewall option will work for me either. The users are spread out all over my campus, in about 10 or so different buildings. Since both supervisors or regular users use the same machines, I can't filter by IP address either.

Basically, my CEO came and said that he only wants the supervisors and management staff to have external email and Internet access.

In talking with a guy who knows Exchange inside and out, he said the email portion isn't possible for sure. As for the Internet access part, I guess I'm going to continue looking into that, but I'm sure I'm going to run into the same problems.

Thanks again though!

 

[brontosaurus]

1)You can disable Internet Access via Group Policy by setting up an I.E. rule that points all computers at a bogus proxy server address.
2)Are you running Exchange 5.5 or 2K?

 

[WillShakespeare]

Thinking about it as you have posted again, you may be able to dissallow using Internet Explorer for one Group Policy, but not the others... but limiting Internet access and email has to be done on the firewall level. Sorry I haven't helped much... but I hope this info helps you look in the right places...

Will

 

[WillShakespeare]

Just as Bronto says, but that's only if you want to limit all IE access... if you still want access to the one site, then the bogus proxy won't work.

Will

 

[brontosaurus]

use the internal IP address of your website for users on the LAN (assuming there is one) and I.E. will not attempt the proxy connection....in this case, the bogus will work.

 

[WillShakespeare]

Good thinking watson! I of course assumed their website was externally hosted... something in the words!

Will

 

[kaoboda]

Hmm, great ideas.

My website is indeed hosted internally so I will give that a shot. Also, I'm running MS Exchange 2000 with SP3.

 

[GlenJohnson]

You could probably not place a gateway in there tcp/ip settings. They wouldn't have a way of getting out, but could get to the internal website. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"A person often meets his destiny on the road he took to avoid it."
Jean de La Fontaine (1621-1695); French poet.

 

[brontosaurus]

OK, for E2K, here's how to handle the email blocking...(this is from a prior post of mine...sorry about the overuse of the word "bogus&quot

to block users from receiving mail, create a second "bogus" domain on your Recipient Policy. Then, on all the users you want to block from receiving, add this new SMTP address, make it Primary, and remove their original "real" SMTP address.
To block outgoing, you'll need to set up an SMTP Connector, using * as your default domain. Then add in your restricted users under Delivery permissions. Lastly, do the registry edit in this article to make it take effect...

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q277872&

and tell your exchange friend you know more than him.

 

[kaoboda]

Well, I began thinking about the Exchange thing and I found a much easier workaround.

Since I had the Exchange connector installed into AD, I just went into the user's account, E-mail addresses, and edited thier address.

For example, bob.johnson@company.com became bob.johnson@company - and this works. If the user trys to send email out, they get a NDR back saying SMTP settings are incorrect and also if someone sends something to them, the send gets a NDR Failure message back to them.

Just thought I'd share my workaround.

 

[brontosaurus]

excellent. I guess you didn't need to block that many people? Nice job.

 

[kaoboda]

Well, actually, yeah... but I'll just have one of the other IT people edit those who don't require it. =)

 

[kaoboda]

Glen,

Thanks for the response, but I don't think I can do it that way. We run DHCP here and both our managers (who will have Internet access) and users (who won't) use the same machines.

I really wish Microsoft just had something in AD that would allow for a ON/OFF type of access when a user signed on. I'm sure others thought of it before me. Maybe I'll send my request to MS.

Thanks again for the response.

Also thanks to bronotosaurus and Will for spurring me to find my own workaround. Now if I can only come up for something quick and easy for the Internet issue. =)

 

[SupaTech1]

Many people just think ipsec is used for secure ip traffic but you can use ipsec to just filter specific ports (like 80, and you can do this with an OU to target those users)

you can set this up via the MMC or MS has a command line script tool.

You could cache your companies website locally on their machines if it isn't too large, or you broadcast you website for them with port 88 for example so they could still get to it.

Lots of ways to do this, just got to pick the best one.

Also your friend should read more about exchange, you can control access through the IC I do believe. You can also make them a member of a dist list that has restricted rights

 

[kaoboda]

For my Internet blocking scheme, I just build a new group policy called Restricted. Inside my department groups, I put another OG called Restricted and applied the policy to that.

I used the GPO to turn the Open box, Internet Options, etc. I setup the fake proxy like recommended and set the homepage as an internal addy that I had in my DNS. Works like a charm.

Thanks for all of the help and replies on my two questions... Now what, I'll have like 50000 calls Monday on why there is no more Internet access and external email.