Stop user going on Internet, but let him access LAN

[karsh]

Hello
How can i stop a user from going on to the internet with keeping his Local area connections active.
Like i would like him to get the company mail in outlook and also he uses a application which needs a citrix client.
In short i just want him to stop going on the web..
Thanks

 

[Andyleates]

Do you have a firewall or proxy server in place?

Or you could configure some sort of access list on your router?

Andy Leates MCSE CCNA MCP+I

 

[karsh]

Yes we have a firewall, but actually the router acts as a firewall..

 

[Andyleates]

Then I would block his workstations IP address there.

Andy Leates MCSE CCNA MCP+I

 

[karsh]

Yes i tried that. I changed that option of AUTOMATICALLY ASSIGN A IP address.
but then he cannot connect to the remote resources and also the LAN..

 

[Andyleates]

What sort of router is it?

Explain exactly what you tried to do?

DOes this router provide access to anything other than the internet?


Andy Leates MCSE CCNA MCP+I

 

[AlexIT]

Go to his machine and set his NIC gateway to 127.0.0.1 and any packet that is not travelling to the same IP subnet will be rerouted to his machine...no more internet access for that machine.

Alex

 

[karsh]

it doesnt let me type in the loop back address.
i can type in any other garbage, but then the whole thing is cut offf.... like the remote access i want him to have it..
thanks though...

 

[Andyleates]

Can you answer my questions?

Andy Leates MCSE CCNA MCP+I

 

[bcastner]

Use the ability to create a logon script, and the ability to use regedit to import registry settings to accomplish this.

1. Create the registry scripts needed:

. Internet_on.reg

Open your registry and find the key below.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

Export this key as Internet_on.reg

. Internet_off.reg

Change the value of "ProxyEnable" and set it to "1". Change the value of "ProxyServer" and set it to an IP address and port that is invalid on your network such as "10.0.0.1:5555" (i.e. "IPort&quot.

By changing these settings Internet access will be disabled for any applications that rely of the Microsoft proxy server information such as Internet Explorer, Microsoft Office, Opera browser, Mozilla, etc.

Export the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

again as Internet_off.reg


2. In the logon script for users you either place the on or off registry key file with the following syntax:

regedit /s Internet_on orp/b] Internet_off.reg

Note: The change will take effect immediately for any new browser windows, existing Internet Explorer sessions will not be affected until the browser is closed and reopened.

3. If you have relatively clever users, they could change these settings, unless you stop them.

To stop users from modifying the proxy settings add these restrictions to disable changes to the Internet configuration.

Find or create the key below:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]

Create two DWORD values named "Connection Settings" and "Connwiz Admin Lock" and set them both to "1".

Make certain you create and export a second registry key set where both values are set to 0 or you will not be able to change your connection settings either!

Source: from an idea found in winguides.com

 

[nemotek]

hi,

1. try filtering his/her MAC address..
2. Remove the Gateway settings on his computer
3. or quite easily UNINSTALL THE WEB BROWSER on his computer.

 

[karsh]

Yes i guess the best option is to uninstall the MS explorer.
thanks all...

 

[Syty]

Wow....that's a lot of work to stop one person from hitting the internet.

why not just statically assign his ip address, subnet mask, and gateway.

Then reserve his IP like you would a server from DHCP --

Then add the following to your outbound access list on the router like the followingassuming the user is 192.168.1.20)

ip access-list ext XXX
permit tcp host 192.168.1.20 eq 1494
permit tcp host 192.168.1.20 eq 110
deny ip host 192.168.1.20 any

This is assuming that you already have an existing access-list with the appropriate permit statements for the rest of the office.
He can send mail (port 110) and he can use Citrix (port 1494), but everything else will be denied.

be sure to assign the access list outbound on the "firewall acting router's WAN Interface" or he won't route to other subnets internally.

You can also put him in his own subnet and deny the whole thing at the firewall, but if it's not a custom subnet mask, you are wasting address space.

NOTE: If the user has admin authority on his machine, you are wasting your time.

Uninstalling anything, can be put back, changing the IP can be done very easily...etc...etc...

Good Luck

 

[GlenJohnson]

nemotek had the best awnser. Remove the gateway. I have a computer that I use and removed the IE, but left the gateway. I did this because the computer is on the shop floor and there are times that I need to access the internet from there, but don't want any tom, dick or harriet to get on the internet with it. If you leave the gateway but uninstall IE, then all you have to do is right click on start, click explore, and in the bar type in a web-site address. You'll see all of your stuff on the left, and the internet on the right. The fastest and easiest method is remove the gateway. Good luck.

Glen A. Johnson
"Give the laziest man the hardest job and he'll find the easiest way to do it."

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

 

[Syty]

If you remove the gateway and it's an internal router, the user will not be able to route even the local subnet.

We can't assume the architecture of the network.

 

[bcastner]

Syty,
That was my concern exactly.

 

[karsh]

in the end what i did is Internet Options, Connections, Lan settings, i used Use proxy server and added garbage IP and remove Detect Automatic settings..
it worked...