Locking down internet access is difficult as just denying access to IE may
not stop access other ways such as through the run box, Windows Explorer, or
even in links in Word documents. You could add iexplore.exe to the
disallowed windows applications list in Group Policy via user
configuration/administrative templates/system but a better way may be to
also create a "bogus" proxy server for the users via Group Policy and block
their access to the IE connection settings page in Group Policy user
configuration. The best solution may be to use firewall rules or ipsec
filtering at the computer configuration level to block access to the
internet if those users never need internet access.
If you want to restrict just for the TS session then you would need to use
one of the user configuration restriction settings such as a bogus proxy and
then implement loopback processing of Group Policy on the OU where the
Terminal Server resides. --- Steve
