Restricting Intranet/Internet Access w/ MS Proxy 2.0

We are implementing a Microsoft Proxy 2.0 array on our network as the Web Proxy Solution.

Quick Background:
Our policy for internet/intranet access is, everyone can have intranet access, but only authorised people can use the internet.
All our workstations are Windows NT 4 workstation, and our only browser is IE 4.01.
All users must use a Proxy Server, because they are spread across 18 sites connected via WAN links, each with a proxy server, which is in a Microsoft Proxy Array.

With Microsoft Proxy 2.0 Permissions enabled on the Web Proxy, the levels of access are only Full (ie. Intranet AND internet) or None (as in No Access :).

This isn't a solution for us.

I must be able to allow all users to use the proxy server, but only members of a specific group 'Internet Users', access to the Internet.

I don't want to use any system which controls access based on IP address.

If a user gets authorisation to use the Internet, I put them in the Group, and they login again and have Internet Access, on whatever machine they use in the whole network.

I have tried enforcing IE 4.01 restrictions which will stop users not in the 'Internet Users' group accessing the IE zone 'Internet Zone', but with IEAK you cannot totally diable access to a zone, just disable most 'Active' components of that zone.

Can anyone help?

Hope the question isn't too complex, if so, please ask for a clarification.
Who is Participating?
khairiConnect With a Mentor Commented:
use Delete option ..instead of grading the answer

Do I get my 280
thomasdaAuthor Commented:
Adjusted points to 210
bbaoIT ConsultantCommented:
I had this question, but I have already solved it with good idea. :-)

Just creat a new local group named Internet Visitors, and it includes all the globe groups and individual users that allowed to access the net, then, from proxy manager, grant access rights to this group only. The disadvantage is I cannot set No Access right. It looks that it is not supported in proxy manager.

For more info please refer my PAQ at:
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

thomasdaAuthor Commented:
Thanks, but this is what I am already doing.
I need to let all users use the Proxy Server, but only allow some to go to the internet.
I need this, because at most sites, the intranet server is over a slow 64k link, therefore they need to use their local microsoft proxy server (member of an array) to access the intranet, but I don't want them to use that same array to access the internet.

I think the answer needs to be more lateral.  Is there some other add-on, 3rd party product, anything, so long as it uses NT permissions _without_ prompting the user for a userID and password, that can let me do this.

I will keep increasing the points on this, as I earn them, till it can be solved!
bbaoIT ConsultantCommented:
If so, it can be solved by two proxy servers. The two servers act in an array or cascade structure. One of them is aimed to cache intranet, which has no access control on it, another one is for Internet accessing, which performs access control so grants only specified local or globe domain group can visit Internet.
thomasdaAuthor Commented:
I will try this.  I don't think it will work.
If the User Bob is in the Internet Users group, and he makes a request to connect to a resource on the Internet, I don't think the proxy server he is connected to (with no permission control enabled) will transfer to it's upstream proxy (the one with permission control enabled) the users name.
The second proxy server (with permission control) only will be receiving the request from the first proxy server, not the user Bob.
Users Rights are not 'Transitive', ie. they don't flow with the request as the request is passed through multiple proxy servers, I am pretty sure.
I will test this though.
bbaoIT ConsultantCommented:
Yes, user rights can not be transitive, but in this case, there is no such "transitive", the first proxy server just forward original request to its upstream or secondary proxy server within an array, the second proxy server picks up the request and verify the user's SID to determine if the user can get through its gateway.

Anyway, please have a try, that is the real answer. :-)
thomasdaAuthor Commented:
It doesn't work bbao...

I setup this...


IE - Internet Explorer 4.01, on NT 4
PROXY2 - MSProxy 2.0 with all Access Control Disabled
PROXY1 - MSProxy 2.0 only allowing members of "Internet Users" to the WWW Proxy Service

When setting up the Upstream Routing Web Proxy (This is configuring PROXY2 to use PROXY1 as an upstream proxy)...

If I say, Do NOT use credentials to communicate with upstream proxy/array, I get this error (from PROXY2)...
Proxy Reports:
12201 A chained proxy server or array member requires proxy-to-proxy authentication. Please contact your server administrator.  (I think this is coming from PROXY1, but could be PROXY2)

When I say YES use credentials, and put in an non-existant userid/password, I get this error (I tried %username% as a userID on a wild try)...
Proxy Reports:
1326 Logon failure: unknown user name or bad password.  (I am 100% sure this error is coming from PROXY1)

When I say YES use credentials, and put in domain\userid of someone who is in the "Internet Users" group, (the UserID I entered was Administrator, not myself) it works.

But in the Verbose log of my second Proxy Server (PROXY1) I get all access logged against Administrator.  It doesn't have my userID in it.  So ANYONE on PROXY2 can now access the internet.

It don't work.

I did see some very interesting lines coming through on PROXY1's log file.. it is this...
-, -, -, N, 7/17/98, 17:10:56, W3Proxy, PROXY1, -, -, -, -, -, -, -, -, tcp, -, http://ms_proxy_auth_query/, -, -, 0, 0

This looks very interesting.. PROXY1 has Access control enabled, this line came from that proxy server.

This only appeared when I told PROXY2 to use PROXY1 as an upstream proxy.

It looks like an undocumented Microsoft Feature that I think I would be extremely interested in.

Can ANYONE help me some more please?

Come on you MCSE +Internet's.. lets see you earn that +Internet! :)
thomasdaAuthor Commented:
Adjusted points to 280
thomasdaAuthor Commented:
There is no answer to this question as it is just not possible with microsoft Proxy without a plugin...

I have proven this..

thomasdaAuthor Commented:
Can someone let me know how to delete this question?
Maybe you could answer it yourself. Be sure to give yourself an 'A'. :)
Assuming that the group allowed Internet access is not required to be monitored by the Proxy Server;  Configure the 'special' group's browser to NOT use the Proxy.  They can now surf both Intranet and Internet.  To force everyone else to use the proxy and thus be excluded from Internet.....

Place an access-list in your router connecting to the internet.  Allow this 'special' group of IP address' access to www.
Allow the proxy access to www.
Allow the entire class of IP's access to www via/thru the proxy.
Deny the entire class of IP' access to www.

Now your Proxy is in charge of who can go to the Internet.
Remember that the group allowed direct access will NOT be monitored by the Proxy.
thomasdaAuthor Commented:
All our users MUST use a proxy server, because they are on a remote WAN with only a 64k link to head office.

This is not possible with only MS Proxy.  We have made it work by using the plug-in I-GEAR from

How can I close this problem without giving away my points...

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.