Sign in with
Sign up | Sign in
Your question

Deny Internet Usage w/Group Policy

Last response: in Windows 2000/NT
Share
February 28, 2005 2:30:39 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I'm looking for a way to stop one machine from accessing the internet at
all.
I have created another OU called "Limited Access" and have been looking
through everything I can think of in the GP editorbut so far I can find
nothing on this subject.

A little background:

This computer will be used for only entering data into a spreadsheet and
soon an Access Database for inventory tracking purposes. I want to limit
then to only Excel and Access.

I think I just came up with the way to do this by using Software
Restriction. Can someone please tell me if I'm on the right track and point
me to some relevant documentation for this purpose.

Thanks,

Mike Stevens
February 28, 2005 2:33:07 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

One more thing I think I should add. This computer is running Windows 2K
Pro SP4

Thanks again



<none> wrote in message news:o aKwbLbHFHA.3072@tk2msftngp13.phx.gbl...
> I'm looking for a way to stop one machine from accessing the internet at
> all.
> I have created another OU called "Limited Access" and have been looking
> through everything I can think of in the GP editorbut so far I can find
> nothing on this subject.
>
> A little background:
>
> This computer will be used for only entering data into a spreadsheet and
> soon an Access Database for inventory tracking purposes. I want to limit
> then to only Excel and Access.
>
> I think I just came up with the way to do this by using Software
> Restriction. Can someone please tell me if I'm on the right track and
point
> me to some relevant documentation for this purpose.
>
> Thanks,
>
> Mike Stevens
>
>
Anonymous
February 28, 2005 2:33:08 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have used this process successfully in the past:

Internet Explorer blocking (per user account)

Create a new "OU" call it something like "Restricted" then create a gpo and
call it "No_Internet" then add the following policies:

1. user configuration\windows settings\internet explorer
maintenance\connection then choose proxy settings put a check box in proxy
settings and put a dead ip or server name in the field and change the port to
8080 (set all fields to use these parameters)

2. administration template\windows components\internet explorer\internet
control panel enable "disable connection page."

3. move the few restricted users into the restricted ou they should inherit
the parent gpo (if any)

NOTES
refresh the client gp by rebooting or typing for winxp gpupdate /target:user
or win2k secedit /refreshpolicy

"none" wrote:

> One more thing I think I should add. This computer is running Windows 2K
> Pro SP4
>
> Thanks again
>
>
>
> <none> wrote in message news:o aKwbLbHFHA.3072@tk2msftngp13.phx.gbl...
> > I'm looking for a way to stop one machine from accessing the internet at
> > all.
> > I have created another OU called "Limited Access" and have been looking
> > through everything I can think of in the GP editorbut so far I can find
> > nothing on this subject.
> >
> > A little background:
> >
> > This computer will be used for only entering data into a spreadsheet and
> > soon an Access Database for inventory tracking purposes. I want to limit
> > then to only Excel and Access.
> >
> > I think I just came up with the way to do this by using Software
> > Restriction. Can someone please tell me if I'm on the right track and
> point
> > me to some relevant documentation for this purpose.
> >
> > Thanks,
> >
> > Mike Stevens
> >
> >
>
>
>
Related resources
Anonymous
March 1, 2005 2:47:26 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"ablackcarneysc" wrote:
> I have used this process successfully in the past:
>
> Internet Explorer blocking (per user account)
>
> Create a new "OU" call it something like "Restricted" then
> create a gpo and
> call it "No_Internet" then add the following policies:
>
> 1. user configurationwindows settingsinternet explorer
> maintenanceconnection then choose proxy settings put a check
> box in proxy
> settings and put a dead ip or server name in the field and
> change the port to
> 8080 (set all fields to use these parameters)
>
> 2. administration templatewindows componentsinternet
> explorerinternet
> control panel enable "disable connection page."
>
> 3. move the few restricted users into the restricted ou they
> should inherit
> the parent gpo (if any)
>
> NOTES
> refresh the client gp by rebooting or typing for winxp
> gpupdate /target:user
> or win2k secedit /refreshpolicy
>
> "none" wrote:
>
> > One more thing I think I should add. This computer is
> running Windows 2K
> > Pro SP4
> >
> > Thanks again
> >
> >
> >
> > <none> wrote in message
> news:o aKwbLbHFHA.3072@tk2msftngp13.phx.gbl...
>  > > I'm looking for a way to stop one machine from
> accessing the internet at
>  > > all.
>  > > I have created another OU called "Limited Access"
> and have been looking
>  > > through everything I can think of in the GP
> editorbut so far I can find
>  > > nothing on this subject.
>  > >
>  > > A little background:
>  > >
>  > > This computer will be used for only entering data
> into a spreadsheet and
>  > > soon an Access Database for inventory tracking
> purposes. I want to limit
>  > > then to only Excel and Access.
>  > >
>  > > I think I just came up with the way to do this by
> using Software
>  > > Restriction. Can someone please tell me if I'm on
> the right track and
> > point
>  > > me to some relevant documentation for this purpose.
>  > >
>  > > Thanks,
>  > >
>  > > Mike Stevens
>  > >
>  > >
> >
> >
> >

Hi,

The phony Proxy setting is the only way to do this. Software
restriction policies are only for XP Pro and only apply to certain
versions of software.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Deny-Internet...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=856327
Anonymous
March 1, 2005 3:22:22 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

You could configure the computer to have a bogus default gateway, configure
your firewall to block outbound access by the computer's assigned IP
address, or use an ipsec filtering policy that uses rules with permit and
deny filter actions. This can be done via OU Group Policy or Local Group
Policy for a single computer. The ipsec policy could have one mirrored rule
configured to block all IP and then another rule with a filter action of
permit for the subnet of the local network. The link below explains in more
detail. --- Steve

http://www.securityfocus.com/infocus/1559

<none> wrote in message news:o aKwbLbHFHA.3072@tk2msftngp13.phx.gbl...
> I'm looking for a way to stop one machine from accessing the internet at
> all.
> I have created another OU called "Limited Access" and have been looking
> through everything I can think of in the GP editorbut so far I can find
> nothing on this subject.
>
> A little background:
>
> This computer will be used for only entering data into a spreadsheet and
> soon an Access Database for inventory tracking purposes. I want to limit
> then to only Excel and Access.
>
> I think I just came up with the way to do this by using Software
> Restriction. Can someone please tell me if I'm on the right track and
> point
> me to some relevant documentation for this purpose.
>
> Thanks,
>
> Mike Stevens
>
>
Anonymous
April 2, 2009 2:40:47 PM

Using fake proxy settings does work. However, we have had a couple of users figure out how to find that setting and change it back. So, something we are trying now is, we have gone to C:\Program Files\Internet Explorer\iexplorer.exe , right clicked the executable file, selected propreties then the security tab selected "users" and checked off "deny" for "read & execute" and "read". So far this has worked.

I have also done what you are trying through group policy by locking down the computer so nothing shows up when the user clicks the start button and there are no icons on the desktop and the user can not right click. Then I put the programs I want the user to be able to run in: C:\Documents and Settings\Default User\Start Menu\Programs\Startup

Then when the user logs on the programs start automatically and they can not access any other part of the computer, including internet explorer. The only thing to keep in mind is, if you are going to allow them to browse to open the document they may be able to get to the internet this way. you will have to play with the GP settings to limit browsing. The programs I am using point of sale programs, etc. and do not require the user to browse to open a document.
Anonymous
February 4, 2010 4:16:57 PM

If my users didn't have to use internet explorer, this may work. However, my users use internet explorer for our intranet site and other daily functions that they do. How do you restrict the usage without restricting internet explorer. The gateway method is what I am currently doing and am looking how to apply it to a group of machines.
!