Block One URL in Group Policy

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Is it possible to block users from going to a particular website in group
policy? I need to restrict access to one website on a group of citrix servers
(windows 2000), but allow other IE access. Any ideas? Thank you in advance.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

Actually there is a whole entire other server to do this. Windows ISA
server. It isn't cheap though. Best bet is to get a free Linux Firewall. You
might be able to do it on the router if you know the IP.

Cheers,

Lara

"breffkin" wrote:

> Is it possible to block users from going to a particular website in group
> policy? I need to restrict access to one website on a group of citrix servers
> (windows 2000), but allow other IE access. Any ideas? Thank you in advance.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"=?Utf-8?B?bGZvcmJlcw==?=" <lforbes@discussions.microsoft.com> said
>
> "breffkin" wrote:
>
>> Is it possible to block users from going to a particular website in
>> group policy? I need to restrict access to one website on a group of
>> citrix servers (windows 2000), but allow other IE access. Any ideas?
>> Thank you in advance.


> Hi,
>
> Actually there is a whole entire other server to do this. Windows ISA
> server. It isn't cheap though. Best bet is to get a free Linux Firewall.
> You might be able to do it on the router if you know the IP.

If the intention is just to block a *single* site you could create a bogus
entry in the DNS or host file that points to a non-existent IP address.


--

Andy.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Andrew,

I have a question about this? I have tried everything to create a DNS entry
in my Windows 2003 DNS that DIDN'T have my DNS extension. As far as I can
figure it is not possible. Everytime I create an alias or a host etc, it
automatically adds my DNS extension mydomain.local Therefore how would you
do what you suggested like create a DNS entry for www.hotmail.com?

Thanks

Lara

"Andrew Mitchell" wrote:

> "=?Utf-8?B?bGZvcmJlcw==?=" <lforbes@discussions.microsoft.com> said
> >
> > "breffkin" wrote:
> >
> >> Is it possible to block users from going to a particular website in
> >> group policy? I need to restrict access to one website on a group of
> >> citrix servers (windows 2000), but allow other IE access. Any ideas?
> >> Thank you in advance.
>
>
> > Hi,
> >
> > Actually there is a whole entire other server to do this. Windows ISA
> > server. It isn't cheap though. Best bet is to get a free Linux Firewall.
> > You might be able to do it on the router if you know the IP.
>
> If the intention is just to block a *single* site you could create a bogus
> entry in the DNS or host file that points to a non-existent IP address.
>
>
> --
>
> Andy.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"=?Utf-8?B?bGZvcmJlcw==?=" <lforbes@discussions.microsoft.com> said

> Hi Andrew,
>
> I have a question about this? I have tried everything to create a DNS
> entry in my Windows 2003 DNS that DIDN'T have my DNS extension. As far
> as I can figure it is not possible. Everytime I create an alias or a
> host etc, it automatically adds my DNS extension mydomain.local
> Therefore how would you do what you suggested like create a DNS entry
> for www.hotmail.com?
>

I've done this using BIND in the past, not with the Windows DNS, but from
what I can see it should be possible using a stub zone and conditional
forwarding.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit
/7f6df44c-06c3-4b92-ba32-63d895a7924b.mspx

In your example you would basically create a zone for hotmail.com with
forwarders pointing to your ISP's DNS servers and an A record for www
pointing to a dummy IP address.
This would cause www.hotmail.com to resolve to the dummy address, but all
other hotmail.com resolution requests to go out the the ISP's DNS.


--

Andy.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

Thanks. I actually needed that because I have a Webserver behind my ISA but
with a public web address as well as a private. When authenticating inside my
network to my DNS I wanted it to just go directly rather than out through the
ISA and back in again. I will try it.

Cheers,

Lara

"Andrew Mitchell" wrote:

> "=?Utf-8?B?bGZvcmJlcw==?=" <lforbes@discussions.microsoft.com> said
>
> > Hi Andrew,
> >
> > I have a question about this? I have tried everything to create a DNS
> > entry in my Windows 2003 DNS that DIDN'T have my DNS extension. As far
> > as I can figure it is not possible. Everytime I create an alias or a
> > host etc, it automatically adds my DNS extension mydomain.local
> > Therefore how would you do what you suggested like create a DNS entry
> > for www.hotmail.com?
> >
>
> I've done this using BIND in the past, not with the Windows DNS, but from
> what I can see it should be possible using a stub zone and conditional
> forwarding.
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit
> /7f6df44c-06c3-4b92-ba32-63d895a7924b.mspx
>
> In your example you would basically create a zone for hotmail.com with
> forwarders pointing to your ISP's DNS servers and an A record for www
> pointing to a dummy IP address.
> This would cause www.hotmail.com to resolve to the dummy address, but all
> other hotmail.com resolution requests to go out the the ISP's DNS.
>
>
> --
>
> Andy.
>

 

[djohns66]

I got creative on this one. I took the local 'hosts' file from any client PC and added the following lines:

127.0.0.1 toolbar.google.com
127.0.0.1 toolbar.msn.com
127.0.0.1 toolbar.yahoo.com
127.0.0.1 toolbar.aol.com
127.0.0.1 us.dl1.yimg.com
127.0.0.1 www3.oclc.org/app/yahoo/

I saved a copy of the hosts file to a shared location, \\server_name\Netlogon

I then created a simple batch file to copy the hosts file from a shared location to the default location on the client PCs and saved this in the same location.

Then I created a GPO and put the batch file as a script to run everytime the user logs on. It isn't pretty, but it works. This is combined w/ restricting certain exe files that install toolbars from running and NOT having users as Local Administrators.

I'm sure there are other methods, but this will work and appease the powers that be. (This is dependent on your environment and office politics of course)

I actually prefer mandating no toolbar installs and if someone does install after being told not to then publically execute them in front of their co-workers in the most harshest of ways. I think this method would be easier than the admin overhead involved but due to office politics and certain legal issues that method is not very feasible in today's 'Polically Correct' society.