block internet access

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have a subnet in a remote location that 2 computers need to be blocked
from getting to the Internet.

Can I use group policy to do this or some other way in Active Directory? ( I
have a firewall that I can do it using the rules and make a static IP for
those computers.)

They are on the 192.168.4.0 network, go through the router to the main
network 192.168.1.0 to get Internet.
If I gave them a bogus default gateway they won't be able to log on to the
domain since they have to access the 1.x network to login.

The firewall is probably the best way, but I would like to know of any way
in AD and/or group policy if there is one.
Windows 2003 servers/XP clients

Thanks,
Rob

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

You can use ipsec filtering policy to block user access to the internet. You
can use ipsec with block and permit filter actions. You could create an
ipsec policy with a mirrored block all IP rule and then create another
mirrored rule with permit for the subnets that should be allowed. The user
on the restricted computer will not gat any special error message however
and will not be able to get updates from Windows Updates from the internet.
The link below explains ipsec filtering more. --- Steve

http://www.securityfocus.com/infocus/1559

"Rob Bergstrom" <nospam@backatcha.com> wrote in message
news:uOm1URhCFHA.1084@tk2msftngp13.phx.gbl...
>I have a subnet in a remote location that 2 computers need to be blocked
> from getting to the Internet.
>
> Can I use group policy to do this or some other way in Active Directory?
> ( I
> have a firewall that I can do it using the rules and make a static IP for
> those computers.)
>
> They are on the 192.168.4.0 network, go through the router to the main
> network 192.168.1.0 to get Internet.
> If I gave them a bogus default gateway they won't be able to log on to the
> domain since they have to access the 1.x network to login.
>
> The firewall is probably the best way, but I would like to know of any way
> in AD and/or group policy if there is one.
> Windows 2003 servers/XP clients
>
> Thanks,
> Rob
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks.
Rob


"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:Oyy%230xhCFHA.4004@tk2msftngp13.phx.gbl...
> You can use ipsec filtering policy to block user access to the internet.
You
> can use ipsec with block and permit filter actions. You could create an
> ipsec policy with a mirrored block all IP rule and then create another
> mirrored rule with permit for the subnets that should be allowed. The user
> on the restricted computer will not gat any special error message however
> and will not be able to get updates from Windows Updates from the
internet.
> The link below explains ipsec filtering more. --- Steve
>
> http://www.securityfocus.com/infocus/1559
>
> "Rob Bergstrom" <nospam@backatcha.com> wrote in message
> news:uOm1URhCFHA.1084@tk2msftngp13.phx.gbl...
> >I have a subnet in a remote location that 2 computers need to be blocked
> > from getting to the Internet.
> >
> > Can I use group policy to do this or some other way in Active Directory?
> > ( I
> > have a firewall that I can do it using the rules and make a static IP
for
> > those computers.)
> >
> > They are on the 192.168.4.0 network, go through the router to the main
> > network 192.168.1.0 to get Internet.
> > If I gave them a bogus default gateway they won't be able to log on to
the
> > domain since they have to access the 1.x network to login.
> >
> > The firewall is probably the best way, but I would like to know of any
way
> > in AD and/or group policy if there is one.
> > Windows 2003 servers/XP clients
> >
> > Thanks,
> > Rob
> >
> >
>
>