averyb
asked on
How do I use GPO to block access to all Internet sites except those listed in the Trusted Sites and Intranet Sites Zones?
Running a W2K3 domain with all workstations running XP SP2.
Need to allow users to get to a few Internet Sites, but want to block access to everything else.
I'm currently applying outbound acl's on the firewall to do this since I can filter based on the IP address of the workstations. But I really want this done on user basis.
Two groups of users. One group can get anywhere on the Internet, but the other can only get to 4 to 6 websites.
I can clearly see and have configured the Trusted Sites mapping using GPO.
I still need a way to configure IE to block access to any site other than the ones in the Trusted Sites or Intranet Sites Zones.
An alternative would be to have IE check to see if a site is listed in the Trusted/Intranet Zones first, then check to see if it is listed in the Restricted Sites Zone. But that assumes I can add all sites to the Restricted Sites Zone. Don't know that IE can do that.
Need to allow users to get to a few Internet Sites, but want to block access to everything else.
I'm currently applying outbound acl's on the firewall to do this since I can filter based on the IP address of the workstations. But I really want this done on user basis.
Two groups of users. One group can get anywhere on the Internet, but the other can only get to 4 to 6 websites.
I can clearly see and have configured the Trusted Sites mapping using GPO.
I still need a way to configure IE to block access to any site other than the ones in the Trusted Sites or Intranet Sites Zones.
An alternative would be to have IE check to see if a site is listed in the Trusted/Intranet Zones first, then check to see if it is listed in the Restricted Sites Zone. But that assumes I can add all sites to the Restricted Sites Zone. Don't know that IE can do that.
ASKER
Thanks for the suggestion. I wish it were practical for me to use ISA Server, but it's not. I don't want to go with ISA Server for one main reason:
It's not free. There are only 4 workstations on the network in question, so cost per user of any solution that I have to purchase would be too high to justify it.
I also don't want to put another layer between the WAN and the LAN by connecting the current firewall to a multihomed computer (the ISA Server) and then to the backbone switch. I'd much rather consider a hardware appliance for this purpose that is optimized for this role, but that comes back to the cost issue.
Back to the original question. How do I make GPO do what I want?
It's not free. There are only 4 workstations on the network in question, so cost per user of any solution that I have to purchase would be too high to justify it.
I also don't want to put another layer between the WAN and the LAN by connecting the current firewall to a multihomed computer (the ISA Server) and then to the backbone switch. I'd much rather consider a hardware appliance for this purpose that is optimized for this role, but that comes back to the cost issue.
Back to the original question. How do I make GPO do what I want?
Here is a link that might get you started.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/BookofSP1/22fffeb1-66a3-4d5c-bc12-def57c3354fa.mspx
http://www.computerhope.com/issues/ch000523.htm
In the gpo you might find interesting settigns in the following section.
computer configuration/administrati ve templates/windows components/internet explorer folders underneath it.
I've not had to do this, I use a proxy server that does all the filtering for me so i'm just trying to point you in what I think is the correct location.
regards,
kshays
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/BookofSP1/22fffeb1-66a3-4d5c-bc12-def57c3354fa.mspx
http://www.computerhope.com/issues/ch000523.htm
In the gpo you might find interesting settigns in the following section.
computer configuration/administrati
I've not had to do this, I use a proxy server that does all the filtering for me so i'm just trying to point you in what I think is the correct location.
regards,
kshays
ASKER
Not really what I'm looking for.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I like that solution. While not what I was looking for it does give me the same functionality. Can you point me to the proper GPO settings to do this?
User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings
You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.
You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.
ASKER
Your suggestion works pretty well. The websites don't load very cleanly though. Guess you can't have everything. Images don't load and the formatting is way off.
You achieved what I wanted to do, but what I wanted to do isn't going to be a workable solution.
Thanks anyway.
You achieved what I wanted to do, but what I wanted to do isn't going to be a workable solution.
Thanks anyway.
All what you need ISA Server, you block many web or you can allow many also its up to you
start here http://www.microsoft.com/isaserver/evaluation/overview/default.mspx
feel free if you need any question related ISA, i will be here :)
Regards