How best to restrict IE access thru AD in server 2008?
I have taken over for someone who recently got fired, and I know a bit about AD but GPOs are a mystery to me, although it doesn't seem terribly complicated. What I have been tasked to do is to restrict internet access by a certain user group. These users are already all in a group and all on the domain, and are already restricted locally from installing anything, so what I need to do is restrict the only browser left to them, IE, while whitelisting a few sites they need access to for work. How can this best be done?
This probably isn't going to be of much help since you seem to know this already, but you're headed in the right direction. Group Policy is the way to do it. I would just Google Group Policy. Most of the information you need is on Microsoft's TechNet website, but it is much easier to find it using Google than searching TechNet directly. Once you read through a page or two you will find what you need. I messed around with it briefly a few years ago but I've forgotten everything now.
I was bored so I did a Google search on "restricting access to Internet Explorer using Active Directory group policies".
Here's something that might help:
Here's something that indicates GPOs are not the way to go:
I agree with the Technet article - If you wanted to restrict them from running IE completely then GPOs would be the way to go using software restrictions or AppLocker if you're running R2.
However what you're trying to achieve is to restrict their access to certain sites, this is really a job for a proxy server, Forefront TMG if you want the MS option.
Trend Micro IWSS or IWSVA would also meet your requirements plus give you malware protection for traffic that passes through it. IWSVA is a virtual appliance so will require a Hyper-V or ESXi installation to run on.
For a low cost solution a modest PC running Ubuntu Server and Squid will do the job.
ss202sl said:A proxy server is what you really need. There are several out there(squid, ironport, ISA server-forefront?), there are even a few cloud services that will provide proxy services.
Interesting point about the cloud providers. This is something I have been researching to control/log access at our smaller offices, do you know of any providers that allow you to create your own rule sets.