Deny access to the internet within a domain

[wayne]

Hello

I have a domain with subnet and one router giving access to the outside
world. I would like to stop a number of computers accessing the internet
but still have access to resources within the domain. Does anyone know of
an easy way to do this with out configuring the router. My thoughts were to
configure static IP address of the PC and leave out the gateway.

any more suggestions would be helpful

thanks

Wayne

 

[Alan Wood [MSFT]]

Hi Wayne,
That would be the best way without having to configure the router.
Other possibilites would include using ISA Server as a firewall, you get
more flexibility on access rights.

http://www.microsoft.com/isaserver/

Hope this Helps!

Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jetro]

Subnet wouldn't communicate with the rest of LAN w/o gateway.
You can set a false proxy server in IE.

 

[Alan Wood [MSFT]]

He only has one subnet so that wouldn't be an issue on this situation. One
subnet one router connecting to the internet.
Setting a false proxy would work for HTTP based traffic but not everything
else.


Thanks,

Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[wayne]

Yep, I feel the no gateway option will work for me as this will stop all
communication to the internet. With the false proxy, yes that would work
for HTTP but it would not stop the user downloading another browser via FTP
(the user has admin rights) installing and then having access to the net
through that browser.

with no gateway all I will have to do is hide the network icon through a
domain gpo

 

[Jetro]

Disagree: proxy is configured for HTTP, Secure, FTP, Gopher and Socks
separately.
As to 'domain with subnet'... Still don't get it as ONE subnet.

 

[Steven Umbach]

You could use ipsec filtering to do that. You could implement it via Group
Policy to the needed computers since it is a computer policy. You would have to
start with a default block all mirrored rule and then add a permit mirrored rule
for the subnet. --- Steve

http://www.securityfocus.com/infocus/1559
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

 

[Wayne]

I agree, if you are going to use IE for those services but if using ftp from
the command line access can still be gained to the internet to down load
applications and another browser for example Netscape

If there is One subnet and on router there is only one point of access to
the internet for that network i.e the default gateway, by omitting that from
the network settings that computer will still have access to network
resources but not to the internet.

 

[Jetro]

Having hosts without default gateway is a bad idea for some reasons; It'd be
better to utilise NetBEUI in the network as such.
If you gonna harden some computers, then why don't you just move or rename
ftp.exe and other files, restrict access to Command prompt and Run line, and
tighten the rest of GPO?