You can try to use ntfs permissions or Group Policy disallowed Windows
applications list to restrict what application a user can execute, but in my
opinion that is less than reliable. Even if you disable the ability of a user to
run Internet Explorer, users may still find that they can browse the internet
through Windows Explorer or even urls in Word documents. A far better option is
to restrict user access at your firewall by blocking access to the internet.
Even the cheapest consumer NAT routers can do such these days. An alternative
may be to use ipsec filtering policies on computers that you want to restrict
access to the internet by using permit and block rules. --- Steve
http://www.securityfocus.com/infocus/1559 -- how to make ipsec filtering
policies.
