Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with Group Policy

Status
Not open for further replies.
bboggessswcg

bboggessswcg

Programmer
Joined
Jun 6, 2003
Messages
34
Location
US
I am trying to stop internet access for a client. I have used group policy and not allowed iexplore.exe to run at all. This works great, but then the users open up my computer or network places and type their web address in the address bar right there. Then they go to the web page. How can I stop any access to the outside world for the users?? This is urgent, so any help is appreciated. Thanks in advance.
 
Sort by date Sort by votes
If you use a proxyserver, you can enforce an empty field in the proxy server settings in Internet Explorer, so people can't use it.

Do the users/pc's you want to restrict internet access to make contact with resources on another network? Otherwise you can set the default gateway on the clients to some bogus address so they can't go out.
 
Upvote 0 Downvote
I do not use a proxyserver.

The deal is that I need most users off of the internet, not all of them. Like I said, I used Group Policy for the domain to stop all access to iexplore.exe, but they can still browse with the address bar in my computer. Is it possible to turn off this bar? Or is it possible to stop the user from using it to browse the internet?
 
Upvote 0 Downvote
another method is to of course disable forwarders on your DNS server so no recursion can take place
 
Upvote 0 Downvote
I am not really sure what you mean by this. Could you explain better? I should probably have told everyone that these are thin clients. So this is a terminal server running RDP out to all the thin clients. I just want to completely stop Internet access for all users except for 1 which will have complete access. Can this be done??
 
Upvote 0 Downvote
not through policy no

you would need some sort of proxy filter to do it I think

disabling recursion would stop everything on the network from being able to get out to the internet, all users and all computers

you could set up a content filter, but its an ugly config

that just just keep prompting them for a password that only you know when they tried to get to any web site...problem there is you would have to configure the hell outta that one user

but back to the topic

group policy has no way to allow or disallow internet browsing on a user or computer basis.....One idea however just popped into my head

you could make the perms on iexplore.exe to where only administrator, system, and the user required has access...can deny all others (just dont list them). then when they truy to open the internet it will give access denied. it too has a flaw though, they would still be able to access through windows explorer.
 
Upvote 0 Downvote
If you only have one user that needs access to the internet, you might be able to use your firewall to block the rest.

Typically, you would want to add a Proxy server to your environment to control internet access. But I saw in a previous post that you do not want to do this.

So, you could go into your firewall and block PORT 80 and 433 from going in and out of your network. Then add an exception using IP address for the one user.



Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please contact (Sales@njcomputernetworks.com)
 
Upvote 0 Downvote
I'm heading in kind of a similar direction. We are beginning to impliment WYSE terminals into our facility and I'm working on a group policy that will do exactly what you're describing. I'm writing a logon script that gets applied through Group Policy that disables the address bar. I'm curious as to which direction you decided to go with your project.
 
Upvote 0 Downvote
I have slowly made progress with the group policy efforts. I have removed the address bar and I also restricted access to iexplore.exe so the user can not open internet explorer. Be sure to remove the address bar from everywhere, including my computer and network places. The catch is this, the user is getting in by going to the search button in my computer and this brings up the search on the left hand side of the window. Then if you search for a web address, it will find it. If you click on the link, then bam, they are on the web in the right hand side of the screen. Any ideas on that?? How can I get rid of the search button??
 
Upvote 0 Downvote
there are policy settings to disable search and such

have to disable them for each particular thing though (windows explorer, internet explorer, etc.)...and be sure to deny the apply group policy to the user you want to have access

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
I tried to disable the search and such, but with no such luck. I still get the search button on the toolbar, and they can still get to the internet that way.
 
Upvote 0 Downvote
Put those users to different OU and follow:Thread96-801081
I think this one is good for TS because they can't install other browser.
 
Upvote 0 Downvote
Removing address bars and search buttons is hopeless. Users will find a way around it. They'll create hyperlinks in email messages, create shortcuts to "explorer.exe find other browsers to use, open the webpages from within Microsoft Word etc etc etc.

You need to BLOCK internet traffic. Its the only failsafe way of doing it. I'd recommend you use a transparent proxy of some kind and then require them to logon to it. "Wingate Pro" has these features. You are automatically redirected to a proxy and have to supply username/password (which can be active directory integreated) before you can use the internet.

Obvioustly other solutions include blocking IP's and ports at the router or firewall level or using two subnets and routing between the two. One has a default gateway, the other doesn't. Obvioustly the second is still not solid enough to stop the more knowledgeable user who could play around with his or her IP address and dns settings etc.

Another solutions is block all access to Port 80/443 etc at the router apart from those coming from the server. Then put a proxy on the server which requires a username/password such as Allegrosurf / Symantec Web Security. SWS by far being a superior product! SWS features amazing content filtering and virus scanning.

Robert Bentley

SynergyworksHosting.co.uk
"reliable services at realistic prices
 
Upvote 0 Downvote
Are there any proxy servers that are freeware that are any good? It sounds like the proxy server is the way to go, but my client really isn't willing to pay anymore money, and the router is not in my control. Any ideas??
 
Upvote 0 Downvote
why don't you try the proxy server (127.0.0.1) above?
 
Upvote 0 Downvote
I did just try the proxy server above and it appears to be working good. I let the client know about the changes and asked them to keep an eye on it to see if it takes care of the internet issues.
 
Upvote 0 Downvote
Why don't you try changing the default gateway on that machine to use itself.
 
Upvote 0 Downvote
Here is my solution to the problem, but it uses the policies in Windows 2003, I don't know if they exist in 2000.

1. Force the user policy to use a proxy setting, and enter a ficticious proxy address.

2. Disable all access and ability for the user to change the connection settings.


 
Upvote 0 Downvote
As the final and so far best answer, I used the 127.0.0.1 address as the proxy server for the OU that I wanted off the internet. If they need selective access, then you can include specific domains that they are permitted to go to by using the domain and the * wildcard. This limits them to those sites only. This stops the access all together, not just for Iexplore.exe or anything else. I don't care what you use to try and access the internet, it hits a brick wall.
 
Upvote 0 Downvote
Also, we recently found it necessary to not only lockout access to iexplore.exe and set the connection settings to a dummy (we do not use a proxy server either), proxy server (and lock out access to the connection settings tab so they cannot change any of the settings), but also, some of our users got wise and found the executable for the "Internet Connection Wizard".

To disable the "Internet Connection Wizard" via group policy you can find that in the "Administrative Templates" followed by looking under "Internet Explorer" in the tree view. We found that using the "Internet Connection Wizard", even with the "Connection Tab" disabled, the users were able to configure a new instance of Internet Explorer to access the outside world. So for "total" security, it's necessary to lock access to this as well (also depending just how sophisticated your users really are). It took us a bit of time to figure out just how the users were accessing the internet ourselves - once we did, we were able to stop it quickly using this method.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

techbrain1
  • Question Question
Explorer Error the operating system is not compatible with this product
Replies
0
Views
263
techbrain1
techbrain1
ravalos
  • Locked
  • Question Question
Problem with PDFs in IIS
Replies
1
Views
2K
gbaughma
gbaughma
Abdullah Al Maruf
  • Locked
  • Question Question
Telnet help for
Replies
2
Views
1K
gbaughma
gbaughma
DrB0b
  • Locked
  • Question Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
1K
DrB0b
DrB0b
DrB0b
  • Locked
  • Question Question
Hybrid on prem AD with Azure AD
Replies
2
Views
602
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top