How do i deny internet access for 1 person in a domain

[Guest]

I'm running a Win2000 Server SP4 domain. I want to take away internet access
for 1 user but let the person have intranet access. What is the best way to
do that on a Win XP workstation.

 

[Phillip Windell]

You can't without a proxy server that authenticates based on domain user
accounts. ISA Server is an example of that.

NAT based Internet Devices typically can restrict by the IP of the machine
they are sitting at, but that isn't worth much if you use DHCP where the
machine may not always be the same address.

 

[Steven L Umbach]

You can set an ipsec filtering policy on the "computer" to manage what
outbound ports that users on a computer can access, block access at the
firewall with the computers IP address [static would be best], or configure
the computer to not have a default gateway to prevent any access outside of
the network for that computer. A user based solution [other that ISA as
Phillip mentioned] could be a personal firewall such as Portslock that can
have different configuration based on logged on user or using Group Policy
to configure a "bogus" proxy server for that user being sure he could not
access IE settings to reconfigure which would prevent internet access only
through Internet Explorer.. --- Steve