Deny Internet Usage w/Group Policy

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm looking for a way to stop one machine from accessing the internet at
all.
I have created another OU called "Limited Access" and have been looking
through everything I can think of in the GP editorbut so far I can find
nothing on this subject.

A little background:

This computer will be used for only entering data into a spreadsheet and
soon an Access Database for inventory tracking purposes. I want to limit
then to only Excel and Access.

I think I just came up with the way to do this by using Software
Restriction. Can someone please tell me if I'm on the right track and point
me to some relevant documentation for this purpose.

Thanks,

Mike Stevens
 
One more thing I think I should add. This computer is running Windows 2K
Pro SP4

Thanks again
 
I have used this process successfully in the past:

Internet Explorer blocking (per user account)

Create a new "OU" call it something like "Restricted" then create a gpo and
call it "No_Internet" then add the following policies:

1. user configuration\windows settings\internet explorer
maintenance\connection then choose proxy settings put a check box in proxy
settings and put a dead ip or server name in the field and change the port to
8080 (set all fields to use these parameters)

2. administration template\windows components\internet explorer\internet
control panel enable "disable connection page."

3. move the few restricted users into the restricted ou they should inherit
the parent gpo (if any)

NOTES
refresh the client gp by rebooting or typing for winxp gpupdate /target:user
or win2k secedit /refreshpolicy
 
ablackcarneysc said:
I have used this process successfully in the past:

Internet Explorer blocking (per user account)

Create a new "OU" call it something like "Restricted" then
create a gpo and
call it "No_Internet" then add the following policies:

1. user configurationwindows settingsinternet explorer
maintenanceconnection then choose proxy settings put a check
box in proxy
settings and put a dead ip or server name in the field and
change the port to
8080 (set all fields to use these parameters)

2. administration templatewindows componentsinternet
explorerinternet
control panel enable "disable connection page."

3. move the few restricted users into the restricted ou they
should inherit
the parent gpo (if any)

NOTES
refresh the client gp by rebooting or typing for winxp
gpupdate /target:user
or win2k secedit /refreshpolicy


 > > I'm looking for a way to stop one machine from
accessing the internet at
 > > all.
 > > I have created another OU called "Limited Access"
and have been looking
 > > through everything I can think of in the GP
editorbut so far I can find
 > > nothing on this subject.
 > >
 > > A little background:
 > >
 > > This computer will be used for only entering data
into a spreadsheet and
 > > soon an Access Database for inventory tracking
purposes. I want to limit
 > > then to only Excel and Access.
 > >
 > > I think I just came up with the way to do this by
using Software
 > > Restriction. Can someone please tell me if I'm on
the right track and
 > > me to some relevant documentation for this purpose.
 > >
 > > Thanks,
 > >
 > > Mike Stevens
 > >
 > >
Click to expand...

Hi,

The phony Proxy setting is the only way to do this. Software
restriction policies are only for XP Pro and only apply to certain
versions of software.

Cheers,

Lara
 
You could configure the computer to have a bogus default gateway, configure
your firewall to block outbound access by the computer's assigned IP
address, or use an ipsec filtering policy that uses rules with permit and
deny filter actions. This can be done via OU Group Policy or Local Group
Policy for a single computer. The ipsec policy could have one mirrored rule
configured to block all IP and then another rule with a filter action of
permit for the subnet of the local network. The link below explains in more
detail. --- Steve

http://www.securityfocus.com/infocus/1559
 
Back
Top