I have a site that is using SBS2003 (not running ISA). There are certain workstations that must be able to access network drives, but not the internet. I've tried changing proxy and DNS settings manually, but the (night shift) staff who use those computers change the settings back so that they can access the internet again. This is an ongoing problem that needs to be addressed permanently.
Is there a way to prevent those particular workstations (or users) from accessing the internet using group policy? I'm not too familiar with Group Policy management, so a little guidance would be appreciated.
One simple way is to create reservations in DHCP for the users you want to keep from accessing the internet. Set these reservations to use the DHCP defaults, except the gateway, and as a gateway assign a non existent IP address, i.e a wrong gateway. All network access is usable, but they cannot get outside the network. I assume you are using exchange, if this is the case the incorrect gateway will not affect mail delivery and receipt. Creating DHCP reservations: http://technet2.microsoft.com/windowsserver/en/library/690d8742-3f92-4eac-ba00-8e93feaafe861033.mspx?mfr=true
I think the solution proposed could be circumvented is the night-shift configured a static IP with the correct gateway. Another solution would be to be to use multiple VLANs, 1 with access to internet and the other with no access. If you have a limited amount of ports to control in the restricted areas, you could even configure the switch to only allow a specific MAC to connect to the port (so users can just plugin to a different port and hop on VLAN with access).
Another solution is to use a internet proxy which requires login for access to internet. All users get directed to proxy, if they're authorized to surf they can login and access internet. If you create individual logins, uses can't share login because they're accountable.
Any password-protected methods wouldn't work, as the users are quite happy to share passwords (although they are not allowed to). Those particular workstations are located in an engineering workshop full of blue collar workers who would like nothing more than to spend the night shift surfing for porn.
The network uses a Billion 7404VGO firewall/router to access the internet. It has the ability to deny access to specified MAC addresses. That is one option.
I had hoped that there was a way to solve it using group policy, as I wanted to deny changes to desktops, etc using group policy at the same time that I was restricting internet access.
Using reservations requires no desktop access, you just do so in the server's DHCP management console. If you really want to restrict access to the network adapter you can further prevent access with group policy.
However, blocking at the router using MAC address restrictions is another good way to go. They can still clone MAC addresses, but that requires a little more skill.
Blocking at the firewall via MAC might be the easiest way to do it. The users would probably have a hard time trying to figure out why they're being blocked. Most users don't even know PCs have MAC addresses, let alone think to change that.
If the users have admin rights on the PC (like many are configured), the users can choose to set IP manually and copy the settings of a PC with internet access. This would work if the user can't change his IP settings.
I would be surprised if night shift workers interested in porn have admin rights, but we have all seen where it is necessary :-) If that were the case you can remove rights to manage the network adapter through group policy. However, unless you need to make it air tight, you are now into multiple steps and I agree the router option would be simpler.
In the interim, as there is no reason for any staff to access the Web after hours, I set the router to block all sites between 6pm and 6am. However, it would be nice to have a solution that addresses the individual workstations.
