Sign in with
Sign up | Sign in
Your question

Internet/Intranet Access

Last response: in Windows 2000/NT
Share
Anonymous
January 12, 2005 6:41:28 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I have users on a Win 2000 network that need to access an intranet site, but
not the internet. Restricting access to the iexplore.exe file on the local
workstations isn't an option as it is needed to run the intranet site. Can
this be done in the user account sections or do I need to go to the router?
Any suggestions would be great.

Libby
Anonymous
January 12, 2005 8:25:12 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If you don't want/can't block at the firewall you create an IP Security
Policy and push it to the appropriate workstations via group policy. The IP
Security Policy would have 2 rules 1) block all outgoing connections to port
80 and 443 except for 2) allow outgoing port 80/443 connections if
destination address is within your subnets or internal dns domain. Note,
this option isn't user specific - it follows the computer.

--
Regards,
Randy Franklin Smith, CISA, SSCP, Security MVP
Creator of the Ultimate Windows Security training courses

"Libby" <lkennedy@dclchem.com> wrote in message
news:%23uJCd9N%23EHA.3124@TK2MSFTNGP11.phx.gbl...
>I have users on a Win 2000 network that need to access an intranet site,
>but
> not the internet. Restricting access to the iexplore.exe file on the
> local
> workstations isn't an option as it is needed to run the intranet site.
> Can
> this be done in the user account sections or do I need to go to the
> router?
> Any suggestions would be great.
>
> Libby
>
>
>
Anonymous
January 12, 2005 8:49:54 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If you do that by the way, you will break Windows Update. This is only a
problem if you are using Windows Update as opposed to Software Update
Services. I guess you could always create some rules to allow WU traffic
out but it starts to get cumbersome.

"Randy Franklin Smith [MVP]" <rsmith@ultimatewindowssecurity.com> wrote in
message news:%23SsC86Q%23EHA.2568@TK2MSFTNGP11.phx.gbl...
> If you don't want/can't block at the firewall you create an IP Security
> Policy and push it to the appropriate workstations via group policy. The
> IP Security Policy would have 2 rules 1) block all outgoing connections to
> port 80 and 443 except for 2) allow outgoing port 80/443 connections if
> destination address is within your subnets or internal dns domain. Note,
> this option isn't user specific - it follows the computer.
>
> --
> Regards,
> Randy Franklin Smith, CISA, SSCP, Security MVP
> Creator of the Ultimate Windows Security training courses
>
> "Libby" <lkennedy@dclchem.com> wrote in message
> news:%23uJCd9N%23EHA.3124@TK2MSFTNGP11.phx.gbl...
>>I have users on a Win 2000 network that need to access an intranet site,
>>but
>> not the internet. Restricting access to the iexplore.exe file on the
>> local
>> workstations isn't an option as it is needed to run the intranet site.
>> Can
>> this be done in the user account sections or do I need to go to the
>> router?
>> Any suggestions would be great.
>>
>> Libby
>>
>>
>>
>
>
!