Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Hi all
It's much better to do this at your proxy or firewall. Policy doesn't
really lend itself to this goal. While an ipsec policy or pointing the
proxy to the loopback address will work, it makes things tricky as Andy
suggests.
I've seen attempts to prevent internet access by adding Internet Explorer to
the disallowed programs list in policy. This is problematic however because
of the shell integration and users can get to web sites via Windows
Explorer.
My first suggestion would be to lock this down at the firewall or proxy. If
you can't do this, a combination of ipsec policy, loopback as the proxy
address and disallowing Internet Explorer from running would be an approach.
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
news:Xns959AECDED2782casey01@207.46.248.16...
> "=?Utf-8?B?andraA==?=" <jwkh@discussions.microsoft.com> said
>
>> I need to disable any access to Internet Explorer from a Terminal Server
>> session.
>>
>> Actually, I guess I should say ANY Web access.
>>
>
> If you want to block all web access, you could use an IPSec policy on the
> OU
> containing the terminal server machine.
> Set the policy to drop all packets where the destination is port 80.
>
> I'm not sure what effect this would have on services such as the Windows
> Update client, so you might want to test it in a lab.
>
> --
> Andy.