Link to home
Start Free TrialLog in
Avatar of averyb
averybFlag for United States of America

asked on

How do I use GPO to block access to all Internet sites except those listed in the Trusted Sites and Intranet Sites Zones?

Running a W2K3 domain with all workstations running XP SP2.

Need to allow users to get to a few Internet Sites, but want to block access to everything else.

I'm currently applying outbound acl's on the firewall to do this since I can filter based on the IP address of the workstations.  But I really want this done on user basis.
Two groups of users.  One group can get anywhere on the Internet, but the other can only get to 4 to 6 websites.

I can clearly see and have configured the Trusted Sites mapping using GPO.

I still need a way to configure IE to block access to any site other than the ones in the Trusted Sites or Intranet Sites Zones.

An alternative would be to have IE check to see if a site is listed in the Trusted/Intranet Zones first, then check to see if it is listed in the Restricted Sites Zone. But that assumes I can add all sites to the Restricted Sites Zone.  Don't know that IE can do that.
Avatar of mcsa_2003
mcsa_2003
Flag of United Arab Emirates image

why you doing this in hard way ?

All what you need ISA Server, you block many web or you can allow many also its up to you

start here http://www.microsoft.com/isaserver/evaluation/overview/default.mspx 



feel free if you need any question related ISA, i will be here :)

Regards
Avatar of averyb

ASKER

Thanks for the suggestion.  I wish it were practical for me to use ISA Server, but it's not.  I don't want to go with ISA Server for one main reason:

It's not free.  There are only 4 workstations on the network in question, so cost per user of any solution that I have to purchase would be too high to justify it.

I also don't want to put another layer between the WAN and the LAN by connecting the current firewall to a multihomed computer (the ISA Server) and then to the backbone switch.  I'd much rather consider a hardware appliance for this purpose that is optimized for this role, but that comes back to the cost issue.

Back to the original question.  How do I make GPO do what I want?
Avatar of Kevin Hays
Here is a link that might get you started.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/BookofSP1/22fffeb1-66a3-4d5c-bc12-def57c3354fa.mspx
http://www.computerhope.com/issues/ch000523.htm

In the gpo you might find interesting settigns in the following section.
computer configuration/administrative templates/windows components/internet explorer folders underneath it.

I've not had to do this, I use a proxy server that does all the filtering for me so i'm just trying to point you in what I think is the correct location.

regards,

kshays

Another tip for downloading files.

http://www.jsifaq.com/subK/tip5300/rh5307.htm
Avatar of averyb

ASKER

Not really what I'm looking for.
ASKER CERTIFIED SOLUTION
Avatar of CoccoBill
CoccoBill
Flag of Finland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of averyb

ASKER

I like that solution.  While not what I was looking for it does give me the same functionality.   Can you point me to the proper GPO settings to do this?
User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings

You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.
Avatar of averyb

ASKER

Your suggestion works pretty well.  The websites don't load very cleanly though.  Guess you can't have everything.  Images don't load and the formatting is way off.

You achieved what I wanted to do, but what I wanted to do isn't going to be a workable solution.

Thanks anyway.