For 300 Points, Restrict Internet Access to Certain Workstation Users
Posted on 2002-04-16
I work for a company that uses a Windows NT 4.0 server-based single-domain network. Some of the client workstations are running Windows 2000 Professional.
Internet access on our network is controlled by manually pointing the workstation to a certain DNS server--DNSa for internet and intranet name resolution, DNSb for intranet name resolution only. This means that a workstation either has access to the internet, or it doesn't, regardless of who is logged on.
My problem is this: We have some Windows 2000 Professional workstations in public areas that are used by multiple users. Currently, all of these workstations are set to use DNSb, and can only access the intranet. However, there are some users who want to be able to login to these machines and, because they are authorized to access the internet, want to be able to access it on these public computers.
Is there a way to implement this?
Here are the scenarios that we've thought of and rejected:
(1) Set local NTFS permissions on the c:\PROGRAM FILES\INTERNET EXPLORER directory to allow only internet-authorized users to read and execute files in that directory. Rejected because it would prevent other users from accessing the intranet.
(2) Install two NICs, and enable booting to two different hardware profiles. Settings for one NIC would point to DNSa, and the other to DNSb. Each hardware profile would disable the unnecessary NIC. Rejected because there is nothing to prevent unauthorized users from selecting the internet-enabled hardware profile and logging in. Also, we don't want the users moving the cable themselves, and running an extra cable for the new NIC would be a PITA.
(3) Dual-boot to two different installations of Win2K. Each installation would be configured to use the appropriate DNS--one for DNSa, one for DNSb. Rejected, but will be considered if we can figure out a way to keep unauthorized domain users from logging into the workstation installation that points to DNSa.
Any other ideas?