group police to disable internet access 1

[racy]

Hi there.

Does anybody know how to use a group police to disable the internet access ?

I know how to disable the internet access using group police by user police ... I can put a wrong proxy address (but I need a controll by computer not by user)

How can I do that using group police by computer ?

I tried another way ... I removed the iexplorer.exe permission using group police by computer ... but
the users can use windows explorer instead of internet explorer to access the internet. (using the address bar)

Best regards and thank you in advance.

Racy

 

[snootalope]

If you don't want them getting on the internet..why not remove tcp/ip? That is if your only on one subnet and no routing needs to be done...NWLink or NetBEUI could get the job done...then again you'll some other functionality, but atleast there's no way in hell they'd be getting on the internet lol

snooter "tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[dieselfreak]

why not simply configure the "default user" policy with the wrong proxy address, which will affect all users

Create an INTERNETACCESS domain global group.

Then add the INTERNETACCESS to your policy and configure the correct proxy address for that group.

that way if you want to give auser access to the internet you simply add them to the INTERNETACCESS group.

 

[GlenJohnson]

Remove gateway. Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Since we cannot know all that there is to be known about anything,
we ought to know a little about everything."
Blaise Pascal

 

[racy]

First of all, thank all of you for these replies.

Unfortunately ... I continue in doubts ..... ;(


1)I can't disable tcp/ip because it is around of 600 computers (100 per room ... then 6 rooms) ... netbeui doesn't work well above 150 computers ...

2) I can not disable the gateway ... I am using DHCP ...
and if I disable the gateway in DHCP ... others machines that CAN have access to internet will have no access.

3) The configuration is like a lab ... sometimes they will say ... please disable the internet in this room ... but they will continue to use theirs files in the server.

4) If I try to use a police by user ... I will have a lot of trouble ... because I will need to create around of 500 groups .... ;( ... and they change a lot.

5) I can cut the access using the proxy, but here they are using Squid (linux)... and to control it by proxy I will
need to use a static ip instead of a dynamic one. ;(

5) I already put each computer room in a different OU.
but I only saw in group police a proxy address option by
user not by computer .... Why Didn´t Microsoft do that? ;(

6) I know that I can set DHCP to give always the
same address if I put the mac address .... and
then using the linux proxy to "disable" the internet by ip
range ... but this "approach" will be almost same thing if I put a static address .... Is it the best way to do that ?


Does anyboy have any ideas ? pleaseeee ?
If I am wrong in any item, please be free to correct me ,I will be very thankful for that.

Best regards.


Racy

----------------------
MCSE W2k, CCNA, A+

 

[brontosaurus]

you can enable the proxy changes via the Computer configuration portion of Group Policy. Go under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer and check out the "make proxy settings per machine"

 

[racy]

Hi Brontosaurus

I already tried it ... but this option is when you wanna the same configuration on all machines ... but first of all you need to change each proxy configuration by computer (manual) .... and if anyone says ... please disable the internet .... manual again .... ;(

Thank you

Racy

 

[yawnbob]

When you say this is a lab configuration this is similar to what we're doing. We have labs that the instructors wanted the "internet turned off" at certain times to keep students from wandering. We already had a policy that keeps the users from changing the proxy settings. We already had all machines consistantly named, like LB311-01, LB311-02, etc. One of my co-workers wrote a script that the instructor could run asking for the first and last machine name and whether to enable or disable internet access. Then the script would connect to all the machines in that range and change the proxy server name in a matter of seconds. No more internet access. Then later in the hour if he wanted to allow access, run it again. The instructors love it.
"Time flies like an arrow. Fruit flies like a banana." - Groucho

 

[racy]

Yawnbob,

Thank You for your reply !

Could You please explain how did You do that ?

Like ... use the police xxxxx in computer police ... disable item , put the proxy number in ... xxxx ??

Also, Could You send me that script ? If You can't send it , then the above police configuration would be enough.

Thank You

Racy

 

[ashpp]

How about....

A login script that finds out whether the computer is in a Internet Disabled or Internet Enabled group. If the machine is in ID it will copy over a LHMOST file with the proxy server machine entry pointing to 127.0.0.1.
If in IE it will copy over a LMHOST gile with that entry removed.

Ash.

 

[ITLady]

If you are using a firewall to the internet and a router to route internally, here's a solution. Give the users who need access to the internet a gateway address of the firewall. Users who need intranet access, the gateway address of the router.

I use this method and it works great.