GP No internet

[Moydog]

Is there a way with GPO to block certain MACHINES from accessing the
internet? Intranet is needed, but no internet. Maybe putting an incorrect
proxy server in the internet settings or something, but only for say a group
of machines, or a single machine?

 

[Mark Heitbrink [MVP]]

Is there a way with GPO to block certain MACHINES from accessing the
internet?

No. You only can define a wrong proxy configuration and deny
the changing of the configuration.

Not a good way, because it takes no effect on a different
browser than IE.

A proxy ist what you are looking for.
Squid is available on Win32 or Sambar.

Intranet is needed, but no internet. Maybe putting an incorrect
proxy server in the internet settings or something, but only for
say a group of machines, or a single machine?

Take a look at the DSACLS on the policy. Remove the "Authenticated Users"
an replace them with your security group and grant them read and apply.

HTH
Mark

 

[Steven L Umbach]

If it is only a few computers you can configure the computer with a bogus
default gateway as long as the user is not a local administrator which would
allow him to change it back if he knew how. A sure fire way would be to put
those "computers" in their own OU with a GPO for that OU to apply an ipsec
filtering policy to those computers. An ipsec filtering policy uses only
permit and block filter actions to control a computers network access. You
could for instance create an ipsec policy with a mirrored block all IP rule,
and then add another rule with permit filter action for the local subnet.
The link below explains more on ipsec filtering. --- Steve

http://www.securityfocus.com/infocus/1559