Blocking Internet without blocking the Intranet

[Serge]

All my Windows 2000 Servers are centralize at one
location.

I have a Domain (Active Directory)and one server
configured with DNS(Windows 2000)

My DNS server is configure to access the internet.

So, the local XP users who don't need access to the
Internet, I just take out the Gateway and this blocks
them from the internet, but they still have access to our
Intranet Web site.(This is exactly what I want)

But, what can I do for my WAN users that don't need
access to the Internet but need access to the Intranet?
(I do not have any servers on my WAN sites)

If I take out the gateway, they can't get access to any
of my servers.(no Good)

If I take out the DNS, they won't be able to logon to the
Domain.(no Good)

I tried the HOST file with the Gateway and no DNS, but my
group policies do not get transfered. (no Good)

I don't want to add a Proxy Server.

Is there something I can configure on the XP client or on
the DNS server, so that my WAN users can have access to
my Intranet but not the Internet?

Thanks.

 

[Steve Duff [MVP]]

The default gateway entry just adds a default route
to the Win2K routing table. As a happy coincidence,
you can make your own entries to that table directly.

If you do a "route print" (in a CMD prompt) you'll see
the current routing table. If you have a default gateway
set, that will be the first entry (0.0.0.0....).

The "route add" command is what you want to use.
Use it to add a specific route to just your Intranet subnet,
without adding a default gateway for everything. You
can use the -p (I think) qualifier to make the entry
persistent across reboots. Do a route /? to see.

You need to be a local admin of course to affect the
routing table. I wrote an EPAL-based program to
do this in login scripts in an admin user context for
this very reason -- let me know if you need it and
I'll forward the code. (It's better if you don't as this
gets complicated fast.)

Steve Duff, MCSE
Ergodic Systems, Inc.