Sign in with
Sign up | Sign in
Your question

Blocking Internet Access to Users using Active Directory

Last response: in Windows 2000/NT
Share
December 21, 2004 12:23:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi, I have being trying to block internet access to users by the means of
active directory but was not successful.
If someone can help me, i need to allow certain users to have full internet
access, and other users allow certain webpages to be viewed. I know that
active directory by using group policies is able to do it, but cannot find my
way around it.
So ie.
- user 'A' with full access
- user 'B' access to www.microsoft.com only

How to do this. Thank you very much for your help. I am learning, and want
to learn more and more.
Good luck,
Sebastian
Anonymous
December 21, 2004 2:35:28 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Sebtarta" <Sebtarta@discussions.microsoft.com> wrote in message
news:14ABE989-CD2D-4B3D-82FD-493C25F202E1@microsoft.com...
> Hi, I have being trying to block internet access to users by the means of
> active directory but was not successful.

Well, you cannot literally do that with any
degree of ease.

This is a job for a tool like ISA (Proxy Server)

In theory you could block access to the browser or
setup IPSec but even that is not precisely what you
suggest since IPSec would be by Computer not
by user.

> If someone can help me, i need to allow certain users to have full
internet
> access, and other users allow certain webpages to be viewed. I know that
> active directory by using group policies is able to do it, but cannot find
my
> way around it.

ISA -- can use Users and Groups to control access on
the basis of such things.



--
Herb Martin


> Good luck,
> Sebastian
December 21, 2004 2:35:29 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Herb Thanx for the response, but I was looking for a way in doing this
without having to purchase the ISA server.


"Herb Martin" wrote:

> "Sebtarta" <Sebtarta@discussions.microsoft.com> wrote in message
> news:14ABE989-CD2D-4B3D-82FD-493C25F202E1@microsoft.com...
> > Hi, I have being trying to block internet access to users by the means of
> > active directory but was not successful.
>
> Well, you cannot literally do that with any
> degree of ease.
>
> This is a job for a tool like ISA (Proxy Server)
>
> In theory you could block access to the browser or
> setup IPSec but even that is not precisely what you
> suggest since IPSec would be by Computer not
> by user.
>
> > If someone can help me, i need to allow certain users to have full
> internet
> > access, and other users allow certain webpages to be viewed. I know that
> > active directory by using group policies is able to do it, but cannot find
> my
> > way around it.
>
> ISA -- can use Users and Groups to control access on
> the basis of such things.
>
>
>
> --
> Herb Martin
>
>
> > Good luck,
> > Sebastian
>
>
>
Related resources
Anonymous
December 21, 2004 5:13:46 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Sebtarta,

You are looking trying to get windows to do something that it wasn't
designed for. You can configure a GPO that will not allow iexplore.exe to
load.. or netscape, etc. The deal is that other browsers will come around
and the executables can be renamed or repackaged.

You really need something working at a lower level to filter that. Things
like ISA work well though I would suggest something like WebSense. You can
attach that at your firewall or caching appliance and get things at that
level -- for under $40 a user.

Otherwise, there is no "real" way to prevent that.
--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Sebtarta" <Sebtarta@discussions.microsoft.com> wrote in message
news:14ABE989-CD2D-4B3D-82FD-493C25F202E1@microsoft.com...
> Hi, I have being trying to block internet access to users by the means of
> active directory but was not successful.
> If someone can help me, i need to allow certain users to have full
internet
> access, and other users allow certain webpages to be viewed. I know that
> active directory by using group policies is able to do it, but cannot find
my
> way around it.
> So ie.
> - user 'A' with full access
> - user 'B' access to www.microsoft.com only
>
> How to do this. Thank you very much for your help. I am learning, and
want
> to learn more and more.
> Good luck,
> Sebastian
Anonymous
December 21, 2004 6:25:22 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Sebtarta" <Sebtarta@discussions.microsoft.com> wrote in message
news:7E6F71EE-B5EA-437D-9A20-7DCB492F86A1@microsoft.com...
> Herb Thanx for the response, but I was looking for a way in doing this
> without having to purchase the ISA server.
>

If you don't have enough users to justify the cost
of ISA, you probably should just TELL them where
they are allowed to visit or buy them some kind
of children's NANNY software for the individual
workstations.

--
Herb Martin


>
> "Herb Martin" wrote:
>
> > "Sebtarta" <Sebtarta@discussions.microsoft.com> wrote in message
> > news:14ABE989-CD2D-4B3D-82FD-493C25F202E1@microsoft.com...
> > > Hi, I have being trying to block internet access to users by the means
of
> > > active directory but was not successful.
> >
> > Well, you cannot literally do that with any
> > degree of ease.
> >
> > This is a job for a tool like ISA (Proxy Server)
> >
> > In theory you could block access to the browser or
> > setup IPSec but even that is not precisely what you
> > suggest since IPSec would be by Computer not
> > by user.
> >
> > > If someone can help me, i need to allow certain users to have full
> > internet
> > > access, and other users allow certain webpages to be viewed. I know
that
> > > active directory by using group policies is able to do it, but cannot
find
> > my
> > > way around it.
> >
> > ISA -- can use Users and Groups to control access on
> > the basis of such things.
> >
> >
> >
> > --
> > Herb Martin
> >
> >
> > > Good luck,
> > > Sebastian
> >
> >
> >
December 21, 2004 8:33:04 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Cheapest solution:
You could set up a linux machine running squid for free, and depending on
how many users, you could probably pull a machine out of the trash for this.
Then assign GPs for those users to use that proxy server, configure the ACLs
for squid for what you need, and your done.

-Dustin


"Sebtarta" <Sebtarta@discussions.microsoft.com> wrote in message
news:7E6F71EE-B5EA-437D-9A20-7DCB492F86A1@microsoft.com...
> Herb Thanx for the response, but I was looking for a way in doing this
> without having to purchase the ISA server.
>
>
> "Herb Martin" wrote:
>
> > "Sebtarta" <Sebtarta@discussions.microsoft.com> wrote in message
> > news:14ABE989-CD2D-4B3D-82FD-493C25F202E1@microsoft.com...
> > > Hi, I have being trying to block internet access to users by the means
of
> > > active directory but was not successful.
> >
> > Well, you cannot literally do that with any
> > degree of ease.
> >
> > This is a job for a tool like ISA (Proxy Server)
> >
> > In theory you could block access to the browser or
> > setup IPSec but even that is not precisely what you
> > suggest since IPSec would be by Computer not
> > by user.
> >
> > > If someone can help me, i need to allow certain users to have full
> > internet
> > > access, and other users allow certain webpages to be viewed. I know
that
> > > active directory by using group policies is able to do it, but cannot
find
> > my
> > > way around it.
> >
> > ISA -- can use Users and Groups to control access on
> > the basis of such things.
> >
> >
> >
> > --
> > Herb Martin
> >
> >
> > > Good luck,
> > > Sebastian
> >
> >
> >
Anonymous
December 22, 2004 3:45:49 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Sebastian,

One way - since you have stated that it is a user side thing in your
environment - is that you can assign a fake proxy address via GPO and remove
the affected users ability to change this. So, if your network is
192.168.1.x then you could supply the Proxy Address as an IP Address of
172.16.21.98 or whatever. These users will not be able to connect to the
Internet....

I believe that Chris has another solution.

HTH,

Cary

"Sebtarta" <Sebtarta@discussions.microsoft.com> wrote in message
news:14ABE989-CD2D-4B3D-82FD-493C25F202E1@microsoft.com...
> Hi, I have being trying to block internet access to users by the means of
> active directory but was not successful.
> If someone can help me, i need to allow certain users to have full
> internet
> access, and other users allow certain webpages to be viewed. I know that
> active directory by using group policies is able to do it, but cannot find
> my
> way around it.
> So ie.
> - user 'A' with full access
> - user 'B' access to www.microsoft.com only
>
> How to do this. Thank you very much for your help. I am learning, and
> want
> to learn more and more.
> Good luck,
> Sebastian
Anonymous
December 22, 2004 4:23:02 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes he does!!!

-- http://www.chrisse.se/MAQB.asp?ID=17


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/


"Cary Shultz [A.D. MVP]" wrote:

> Sebastian,
>
> One way - since you have stated that it is a user side thing in your
> environment - is that you can assign a fake proxy address via GPO and remove
> the affected users ability to change this. So, if your network is
> 192.168.1.x then you could supply the Proxy Address as an IP Address of
> 172.16.21.98 or whatever. These users will not be able to connect to the
> Internet....
>
> I believe that Chris has another solution.
>
> HTH,
>
> Cary
>
> "Sebtarta" <Sebtarta@discussions.microsoft.com> wrote in message
> news:14ABE989-CD2D-4B3D-82FD-493C25F202E1@microsoft.com...
> > Hi, I have being trying to block internet access to users by the means of
> > active directory but was not successful.
> > If someone can help me, i need to allow certain users to have full
> > internet
> > access, and other users allow certain webpages to be viewed. I know that
> > active directory by using group policies is able to do it, but cannot find
> > my
> > way around it.
> > So ie.
> > - user 'A' with full access
> > - user 'B' access to www.microsoft.com only
> >
> > How to do this. Thank you very much for your help. I am learning, and
> > want
> > to learn more and more.
> > Good luck,
> > Sebastian
>
>
>
Anonymous
December 22, 2004 5:48:51 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I can vouch for this method. It works wonderfully.

I put everyone in the company (about 50 users, 160 computers) through this
proxy on a 400Mhz machine. I restrict machines based on their MAC address,
but restrictions based on usernames/groups/etc could be done with winbind.
Certain domains/sites can be let through all the time, such our clients
intranet, download.windowsupdate.com for SUS, and suchlike.

Kyle

DM wrote:

> Cheapest solution:
> You could set up a linux machine running squid for free, and depending on
> how many users, you could probably pull a machine out of the trash for
> this. Then assign GPs for those users to use that proxy server, configure
> the ACLs for squid for what you need, and your done.
>
> -Dustin
>
>
> "Sebtarta" <Sebtarta@discussions.microsoft.com> wrote in message
> news:7E6F71EE-B5EA-437D-9A20-7DCB492F86A1@microsoft.com...
>> Herb Thanx for the response, but I was looking for a way in doing this
>> without having to purchase the ISA server.
>>
>>
>> "Herb Martin" wrote:
>>
>> > "Sebtarta" <Sebtarta@discussions.microsoft.com> wrote in message
>> > news:14ABE989-CD2D-4B3D-82FD-493C25F202E1@microsoft.com...
>> > > Hi, I have being trying to block internet access to users by the
>> > > means
> of
>> > > active directory but was not successful.
>> >
>> > Well, you cannot literally do that with any
>> > degree of ease.
>> >
>> > This is a job for a tool like ISA (Proxy Server)
>> >
>> > In theory you could block access to the browser or
>> > setup IPSec but even that is not precisely what you
>> > suggest since IPSec would be by Computer not
>> > by user.
>> >
>> > > If someone can help me, i need to allow certain users to have full
>> > internet
>> > > access, and other users allow certain webpages to be viewed. I know
> that
>> > > active directory by using group policies is able to do it, but cannot
> find
>> > my
>> > > way around it.
>> >
>> > ISA -- can use Users and Groups to control access on
>> > the basis of such things.
>> >
>> >
>> >
>> > --
>> > Herb Martin
>> >
>> >
>> > > Good luck,
>> > > Sebastian
>> >
>> >
>> >
Anonymous
December 23, 2004 3:24:49 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Sebtarta,

As ironic as it is, I had to do this exact thing today.

I Created a GPO to modify the proxy to our internal web page and applied
that to the domain allowing only certain groups to apply it (the groups to
be denied).

This redirects all web requests to the homepage giving them internal and
Intranet info, but stopping all Internet browsing from any browser.
--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Sebtarta" <Sebtarta@discussions.microsoft.com> wrote in message
news:14ABE989-CD2D-4B3D-82FD-493C25F202E1@microsoft.com...
> Hi, I have being trying to block internet access to users by the means of
> active directory but was not successful.
> If someone can help me, i need to allow certain users to have full
internet
> access, and other users allow certain webpages to be viewed. I know that
> active directory by using group policies is able to do it, but cannot find
my
> way around it.
> So ie.
> - user 'A' with full access
> - user 'B' access to www.microsoft.com only
>
> How to do this. Thank you very much for your help. I am learning, and
want
> to learn more and more.
> Good luck,
> Sebastian
!