Steve Allen said:I want to add a second user to my workstation and grant normal network
(peer-to-peer) access, but I don't want them to have access to the
internet.
I haven't found an easy way to do this, I've tried looking at permissions
but
I'm missing something.
Pegasus (MVP) said:There is a fairly simple solution to your problem. Instead of
playing around with the IP settings, you can modify IE so
that it no longer finds any pages. You could include these
lines in your logon script:
@echo off
if /i "%UserName%"=="TempUser" (set Reg=1) else (set Reg=0)
echo > c:\proxy.reg REGEDIT4
echo >>c:\proxy.reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
echo >>c:\proxy.reg "ProxyEnable"=dword:0000000%Reg%
echo >>c:\proxy.reg "ProxyServer"="SteveProxy:9090"
regedit /s c:\proxy.reg
del c:\proxy.reg
I found that ordinary users can edit this part of the registry.
Make sure to replace TempUser with the actual logon name
of the user.
Steve Allen said:I really appreciate your help, thank you.
OK, I think I get how to use netsh and it should work,
BUT, I believe the user I wish to BLOCK for the internet needs to have
"administrator" privleges inorder for the command to function, when they
and
only they login.
There are to be three users on the computer, each with a unique username
and
password.
Administrator(me) for maintenance, etc. full network access.
Fulltime for my regular secretary. full network access.(user or power
user.)
and "PartTime" for temp office help........LAN Access: yes, Internet
Access:
NO. User group only. Naturally I don't want to give my part time help
"administrator" status!
with netsh I should be able to "enable" the gateway address for me and my
full time employee, but how do I run this when the "Part time" employee
logs
on with only user privliges?
would a program like "net nanny" be easier? lol, been years since I saw
that one.
Any further tips will be most appreciated, thank you again.
Steve Allen said:Pegasus, it seems I need more experience to create a logon script.
I created a batch file called "noisp.bat" and copied your example
replacing
temp_user with the real logon name "Part Time" as suggested. I tried
saving
the batch file in several locations as I could not add a full path to the
user's settings, only a relative path for testing.
I am going to search MS for some more help on this. If you have any links
or suggestions please advise.
Thanks again, Steve
Pegasus (MVP) said:There is a fairly simple solution to your problem. Instead of
playing around with the IP settings, you can modify IE so
that it no longer finds any pages. You could include these
lines in your logon script:
@echo off
if /i "%UserName%"=="TempUser" (set Reg=1) else (set Reg=0)
echo > c:\proxy.reg REGEDIT4
echo >>c:\proxy.reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
echo >>c:\proxy.reg "ProxyEnable"=dword:0000000%Reg%
echo >>c:\proxy.reg "ProxyServer"="SteveProxy:9090"
regedit /s c:\proxy.reg
del c:\proxy.reg
I found that ordinary users can edit this part of the registry.
Make sure to replace TempUser with the actual logon name
of the user.
Steve Allen said:I really appreciate your help, thank you.
OK, I think I get how to use netsh and it should work,
BUT, I believe the user I wish to BLOCK for the internet needs to have
"administrator" privleges inorder for the command to function, when
they
and
only they login.
There are to be three users on the computer, each with a unique
username
and
password.
Administrator(me) for maintenance, etc. full network access.
Fulltime for my regular secretary. full network access.(user or power
user.)
and "PartTime" for temp office help........LAN Access: yes, Internet
Access:
NO. User group only. Naturally I don't want to give my part time help
"administrator" status!
with netsh I should be able to "enable" the gateway address for me and
my
full time employee, but how do I run this when the "Part time" employee
logs
on with only user privliges?
would a program like "net nanny" be easier? lol, been years since I
saw
that one.
Any further tips will be most appreciated, thank you again.
:
Yes, you could remove the default gateway and/or the DSN entry,
using netsh.exe, provided that the user has sufficient privileges to
run the command. Below is a link and some examples for the command.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;242468
For a Static IP use:
netsh interface ip set address "Local Area Connection" static
125.187.7.56
255.0.0.0
netsh interface ip set address local static 192.168.1.1 255.255.255.0
And for DHCP use:
netsh interface ip set address "Local Area Connection" DHCP
netsh interface ip set address name="Local Area Connection 2"
source=static
addr=192.168.10.10 mask=255.255.255.0 gateway=none
netsh interface ip delete dns name="Local Area Connection 2" addr=all
netsh interface ip set dns name="Local Area Connection 2"
source=static
addr=192.168.20.20
netsh interface ip add dns name="Local Area Connection 2"
addr=192.168.30.30
netsh interface ip set address name="Local Area Connection X"
gateway=10.0.0.1 gwmetric=1 source=static addr=192.168.0.10
mask=255.255.255.0
netsh interface ip set address name="Local Area Connection"
source=static
addr=192.168.44.1 mask=255.255.255.0 gateway=192.168.44.254 gwmetric=1
netsh interface ip set dns name="Local Area Connection" source=static
addr=192.168.44.254
Thank you for the tip but alas, it seems I must have XP for
SteadyState.
Question: if I use static IP addresses on all workstations,
Can I build a batch file or script that would delete the tcp/ip
entry
for
the default gateway and have it run when a particular user logs in?
I am thinking that would allow LAN access but not to the internet.
:
I want to add a second user to my workstation and grant normal
network
(peer-to-peer) access, but I don't want them to have access to
the
internet.
I haven't found an easy way to do this, I've tried looking at
permissions
but
I'm missing something.
Windows SteadyState might be for you although I don't know if
it works under Win2000.
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
Pegasus (MVP) said:You can put the file "noisp.bat" here:
c:\Documents and Settings\All Users\Start Menu\Programs\Startup
Steve Allen said:Pegasus, it seems I need more experience to create a logon script.
I created a batch file called "noisp.bat" and copied your example
replacing
temp_user with the real logon name "Part Time" as suggested. I tried
saving
the batch file in several locations as I could not add a full path to the
user's settings, only a relative path for testing.
I am going to search MS for some more help on this. If you have any links
or suggestions please advise.
Thanks again, Steve
Pegasus (MVP) said:There is a fairly simple solution to your problem. Instead of
playing around with the IP settings, you can modify IE so
that it no longer finds any pages. You could include these
lines in your logon script:
@echo off
if /i "%UserName%"=="TempUser" (set Reg=1) else (set Reg=0)
echo > c:\proxy.reg REGEDIT4
echo >>c:\proxy.reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
echo >>c:\proxy.reg "ProxyEnable"=dword:0000000%Reg%
echo >>c:\proxy.reg "ProxyServer"="SteveProxy:9090"
regedit /s c:\proxy.reg
del c:\proxy.reg
I found that ordinary users can edit this part of the registry.
Make sure to replace TempUser with the actual logon name
of the user.
I really appreciate your help, thank you.
OK, I think I get how to use netsh and it should work,
BUT, I believe the user I wish to BLOCK for the internet needs to have
"administrator" privleges inorder for the command to function, when
they
and
only they login.
There are to be three users on the computer, each with a unique
username
and
password.
Administrator(me) for maintenance, etc. full network access.
Fulltime for my regular secretary. full network access.(user or power
user.)
and "PartTime" for temp office help........LAN Access: yes, Internet
Access:
NO. User group only. Naturally I don't want to give my part time help
"administrator" status!
with netsh I should be able to "enable" the gateway address for me and
my
full time employee, but how do I run this when the "Part time" employee
logs
on with only user privliges?
would a program like "net nanny" be easier? lol, been years since I
saw
that one.
Any further tips will be most appreciated, thank you again.
:
Yes, you could remove the default gateway and/or the DSN entry,
using netsh.exe, provided that the user has sufficient privileges to
run the command. Below is a link and some examples for the command.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;242468
For a Static IP use:
netsh interface ip set address "Local Area Connection" static
125.187.7.56
255.0.0.0
netsh interface ip set address local static 192.168.1.1 255.255.255.0
And for DHCP use:
netsh interface ip set address "Local Area Connection" DHCP
netsh interface ip set address name="Local Area Connection 2"
source=static
addr=192.168.10.10 mask=255.255.255.0 gateway=none
netsh interface ip delete dns name="Local Area Connection 2" addr=all
netsh interface ip set dns name="Local Area Connection 2"
source=static
addr=192.168.20.20
netsh interface ip add dns name="Local Area Connection 2"
addr=192.168.30.30
netsh interface ip set address name="Local Area Connection X"
gateway=10.0.0.1 gwmetric=1 source=static addr=192.168.0.10
mask=255.255.255.0
netsh interface ip set address name="Local Area Connection"
source=static
addr=192.168.44.1 mask=255.255.255.0 gateway=192.168.44.254 gwmetric=1
netsh interface ip set dns name="Local Area Connection" source=static
addr=192.168.44.254
Thank you for the tip but alas, it seems I must have XP for
SteadyState.
Question: if I use static IP addresses on all workstations,
Can I build a batch file or script that would delete the tcp/ip
entry
for
the default gateway and have it run when a particular user logs in?
I am thinking that would allow LAN access but not to the internet.
:
I want to add a second user to my workstation and grant normal
network
(peer-to-peer) access, but I don't want them to have access to
the
internet.
I haven't found an easy way to do this, I've tried looking at
permissions
but
I'm missing something.
Windows SteadyState might be for you although I don't know if
it works under Win2000.
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx