If ONLY Internet Explorer is used and allowed on that computer you can
configure Group Policy to give that domain user a bogus proxy server IP
address and then he will not be able to access the internet via IE. If you
are using ISA 2000/2004 you can create firewall rules based on user or group
membership. See the link below for more information on using a bogus proxy
server and make sure the user can not access the connection tab of IE [in
order to remove the bogus proxy IP] which you can also disable via Group
Policy in user configuration/administrative templates/Windows
components/Internet Explorer/control panel. You might need to create a Group
Policy just for that user linked to an OU and move the users account into
the OU. That OU could be a child OU to the domain container or another OU so
that other Group Policies still apply to the users account. Use the mmc
snapin for RSOP to see what settings apply to that user in either logging or
planning mode to see what settings apply or should apply to that user. ---
Steve
http://techrepublic.com.com/5102-1009-5838360.html