Preventing Internet Explorer Access

  • Thread starter Thread starter SD
  • Start date Start date
S

SD

Hello-

I was wondering the best way to prevent internet access using onboard
resourses in windows other than having to put on third part software
to prevent internet explorer access.

For example...can this be done with a group policy that is global
throughout the domain? Could I maybe password enable attempts to
access IE ?

Reason I ask is the web is the only thing I am interesting in
blocking...but if we block its port entirely with 3rd party..it gets
annoying to have to configure each workstation that way ... etc...
 
SD said:
Hello-

I was wondering the best way to prevent internet access using onboard
resourses in windows other than having to put on third part software
to prevent internet explorer access.

Not really. Internet Explorer itself isn't the issue. You're talking about
blocking *internet* access.
For example...can this be done with a group policy that is global
throughout the domain?

Not really. You *could* ensure that the workstations in question are not
given a default gateway in their IP config, but that is very clumsy at best.
Could I maybe password enable attempts to
access IE ?

No, and that wouldn't give you the results you wish, honestly.
Reason I ask is the web is the only thing I am interesting in
blocking...but if we block its port entirely with 3rd party..it gets
annoying to have to configure each workstation that way ... etc...

Do this in your perimeter firewall appliance (deny LAN->WAN for your
workstation range of IP addreses) or get a proxy server or use ISA. That's
the best way to handle this.
 
Actually, this is very easy to accomplish. Through Group Policies, define
the users/groups that you don't want to have internet access using standard
installed applications (IE, OE, etc.) and assign a proxy server address of
127.0.0.1 under the Internet Explorer restrictions on a per-user/group
basis. Using the default settings, all installed Windows apps use the IE
settings, so they'll all fail to connect. If you further restrict access to
Internet Options and Registry Editing tools, they'll be unable to easily
change this setting.

Its not as "all encompasing" as a 3rd party solution would be, or even using
an Internet Access Server, where you can literally control access using
Windows based authentication, but it will stop the casual user from gaining
access.
 
Where I work, it depends on the Windows login what groups of sites we
can visit. Our traffic is being monitored by a proxy that checks the IP
and windows login to check if we can access certain sites.
LOL...and the weird thing is that I can't even access the ALLOWED
sites.. like glitnir.is and landsbanki.is (banks).
Weird right? =D
 
Doug said:
Actually, this is very easy to accomplish. Through Group Policies,
define the users/groups that you don't want to have internet access
using standard installed applications (IE, OE, etc.) and assign a proxy
server address of 127.0.0.1 under the Internet Explorer restrictions on
a per-user/group basis. Using the default settings, all installed
Windows apps use the IE settings, so they'll all fail to connect. If
you further restrict access to Internet Options and Registry Editing
tools, they'll be unable to easily change this setting.

Its not as "all encompasing" as a 3rd party solution would be, or even
using an Internet Access Server, where you can literally control access
using Windows based authentication, but it will stop the casual user
from gaining access.


Does the IEAK (Internet Explorer Administration Kit) manage something
like this?

Does Microsoft have a tool for managing Group Policies besides the one
in the Control Panel? I remember reading about something like that but
just can't remember the name of the program. I think it is in the
Resource Kit.

I need to lock down some PCs used in a turnkey application to allow only
administrators to use any other programs besides the application itself.
 
Back
Top