Stopping Clients from Accessing Internet

  • Thread starter Thread starter Kyle Stedman
  • Start date Start date
K

Kyle Stedman

Hi,

We've got some clients on our 2003 network that we'd like to keep from
accessing the Internet. We've used our ISA server (Access Policy -- Site
and Content Rules) to stop them from browsing via IE. I thought this would
stop them period, but they can still browse via Windows Explorer!

Is there a policy that will stop the Internet functionality of Windows
Explorer? Or is there some other way? I've thought of putting them on
NetBui protocol instead of IP (they need networked printing), but I'm not
sure if NetBui is still available on Server 2003.

Thanks for any help,

Sincerely,
Kyle
 
Hi

If you never want them to have net access just dont supply them a default gateway via DHCP - that should do it!

Regards

S
 
In a WAN environment, there may be resources that require the gateway.
Also, other than machine specific DHCP reservations, is there a way to
remove the gateway on a per-user basis?

The idea is intriguing.

What I have been doing is using a login script to set the proxy server
address to 127.0.0.1 and enabling the proxy. I also specify a list of
domains that all users can get to using the proxyoverride setting, and
further specify that the proxy server is bypassed for local addresses.

I then use gpo to disable the connections tab in IE.

Not QUITE perfect, as users could conceivable edit the registry to turn
the connections back on or to disable the proxy server setting.

I'm testing to see if their are functional consequences to disabling
access to registry modication tools using gpo.

--Vorpal
 
Great, it is a small number of machines. You mean the default gateway on
their local "Network Connection" settings?

Thanks,
Kyle
 
Hi,

Your ISA server should block everything if you have enabled authentication.
I have ISA and have never had a problem. In my rules for "Internet" I just
"Allow" everyone "except" the users that I don't want accessing and voila. I
am using ISA 2004 though so it may be different.

Have you installed the ISA client on the workstations? Mine works for
Mozilla and even FTP so it should work for Windows. Also, disable access to
Iexplorer.exe on the workstation using Permissions. That will do it for sure.
Just leave the Administrator and System as full control and remove "Users"
and all other accounts. Windows Explorer just opens up IE when an IP is put
in. You could also disable the Address Bar in Windows Explorer.

Cheers,

Lara
 
Hi Lara,

Yes, we've only got one rule which applies to all Users (allow all:
domain\domain users

Can I just another rule to the one above that excludes certain users? Or
would I have to make the rule above more granular first?

Thanks for your help,

Kyle
 
Hi,

Yes Kyle you can add another rule above that excludes and it will take
precedence without any modification. However on ISA 2004 you actually have a
"exlusions" box below the "allow" box in the standard rule where you can
enter Users. That is where I usually just add the names of the users that are
excluded from the rule (allow internet).

My users roam so I have to do it via ISA. However, if the computers are the
same all the time, removing the users and everyone permissions from reading
iexplore.exe on the local machine works even better.

Cheers,

Lara
 
Thanks Lara!

Kyle


Hi,

Yes Kyle you can add another rule above that excludes and it will take
precedence without any modification. However on ISA 2004 you actually
have a "exlusions" box below the "allow" box in the standard rule
where you can enter Users. That is where I usually just add the names
of the users that are excluded from the rule (allow internet).

My users roam so I have to do it via ISA. However, if the computers
are the same all the time, removing the users and everyone permissions
from reading iexplore.exe on the local machine works even better.

Cheers,

Lara
Click to expand...
 
Back
Top