Solved

For 300 Points, Restrict Internet Access to Certain Workstation Users

Posted on 2002-04-16
16
1,170 Views
Last Modified: 2010-04-13
I work for a company that uses a Windows NT 4.0 server-based single-domain network.  Some of the client workstations are running Windows 2000 Professional.

Internet access on our network is controlled by manually pointing the workstation to a certain DNS server--DNSa for internet and intranet name resolution, DNSb for intranet name resolution only.  This means that a workstation either has access to the internet, or it doesn't, regardless of who is logged on.

My problem is this:  We have some Windows 2000 Professional workstations in public areas that are used by multiple users.  Currently, all of these workstations are set to use DNSb, and can only access the intranet.  However, there are some users who want to be able to login to these machines and, because they are authorized to access the internet, want to be able to access it on these public computers.

Is there a way to implement this?

Here are the scenarios that we've thought of and rejected:

(1) Set local NTFS permissions on the c:\PROGRAM FILES\INTERNET EXPLORER directory to allow only internet-authorized users to read and execute files in that directory.  Rejected because it would prevent other users from accessing the intranet.

(2) Install two NICs, and enable booting to two different hardware profiles.  Settings for one NIC would point to DNSa, and the other to DNSb.  Each hardware profile would disable the unnecessary NIC.  Rejected because there is nothing to prevent unauthorized users from selecting the internet-enabled hardware profile and logging in.  Also, we don't want the users moving the cable themselves, and running an extra cable for the new NIC would be a PITA.

(3) Dual-boot to two different installations of Win2K.  Each installation would be configured to use the appropriate DNS--one for DNSa, one for DNSb.  Rejected, but will be considered if we can figure out a way to keep unauthorized domain users from logging into the workstation installation that points to DNSa.

Any other ideas?
0
Comment
Question by:Guncrazy
  • 5
  • 5
  • 3
  • +3
16 Comments
 
LVL 3

Expert Comment

by:cincin77
Comment Utility
You install an ISA server as a proxy server and configure it with respect to the groups you have. With this way, you can even restrict some users for some period of a day. This solves your problem without having two DNS servers.
0
 

Author Comment

by:Guncrazy
Comment Utility
Whoops...should have stipulated: We can't purchase another server.  We have to, if possible, make this work with existing software and hardware.  Thanks, though.
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
Why not change the DNS server(s) in use as a part of the user logon process?  If a generic user logs in the DNS points to the limited DNS servers. If a "privileged" user logs in you set the open DNS servers.
0
 

Author Comment

by:Guncrazy
Comment Utility
JHANCE:  That was actually proposed, but we didn't think it was possible.  If you can be more specific about how to do this, and if it's workable for us, I'll accept it as an answer.
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
My favorite solution would be:

http://www.netswitcher.com
0
 

Author Comment

by:Guncrazy
Comment Utility
Interesting program, but not a solution.  First, it requires the user to change the settings, which we don't want them to be able to do (and would this program work if the user is not an administrator on the local machine?).  Second, all we can work with is current hardware and software.
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
Well, clearly you know more about this than I do.  

You have also placed impossible restrictions on yourself.  Namely: "all we can work with is current hardware and software".  So you're saying that unless you already have a solution in place and just don't know about it, there is nothing you can change.  Good luck.
0
 
LVL 7

Expert Comment

by:jmiller47
Comment Utility
The only thing that I can possibly think of is to change the DNS server settings based on logon name. You can do this with your logon script. You will either need a command line utility or a vbs script. I will look up both and post here shortly unless someone else can find first.

Guncrazy, Can you please post whether you are running at least Internet Explorer 5.5 on all your workstations. I you are then a vbs script will work fine. If not, then you must use a command line utility only.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 7

Expert Comment

by:jmiller47
Comment Utility
The only thing that I can possibly think of is to change the DNS server settings based on logon name. You can do this with your logon script. You will either need a command line utility or a vbs script. I will look up both and post here shortly unless someone else can find first.

Guncrazy, Can you please post whether you are running at least Internet Explorer 5.5 on all your workstations. I you are then a vbs script will work fine. If not, then you must use a command line utility only.
0
 
LVL 7

Expert Comment

by:jmiller47
Comment Utility
Sorry, I only posted that once. It seems there are command line utilities for doing this, but only for Windows 2000 machines. If you have Windows NT 4.0, the utilities will not work.

If you have IE 5.5 installed on all your workstations, I can write you a vbs script that will make changes to the registry based on user logon.

Please let me know.
0
 
LVL 5

Expert Comment

by:matt023
Comment Utility
I don't think it's possible to use DNS to control Internet access on a per-user basis - except for some script that jhance had provide.  However, you'll need to grant your users right to change the TCP/IP properties - which you do not want.  DNS is machine specific.  
How about setup some public machines to use DNSa and some to use DNSb?  
If the users don't like it, tell them to ask the CEO to spend a bit more money on IT!!!
0
 

Author Comment

by:Guncrazy
Comment Utility
JMILLER: If you can tell me a little more about the script you propose, I'd appreciate it.  You say the script wouldn't work on Win2K machines--remember, all of our servers are WinNT.  We therefore aren't running Active Directory, either, if that's an issue. All browsers are at least IE5.5.

Of course, if it's impossible, it's impossible, and I'll accept a good explanation as an answer.
0
 
LVL 7

Expert Comment

by:jmiller47
Comment Utility
Actually, I said that a command-line utility would only work on 2000 (It has many more commandline utilities included and in the Resource Kit).

If you have other workstations that this needs to run on than just Windows 2000, then you can use a Visual Basic Script (.vbs) that would change registry settings.

I was unable to find a command-line Utility that would work in Windows 2000 and NT 4.0. Since the DNS Server settings are stored in the Registry, I think that a vbs script can be written then would overwrite the registry settings. If you ran this at logon, you could essentailly change the DNS settings upon logon.

Unfortunately, If the computer is on for an extended period of time, new DHCP settings (including DNS servers) could come into effect..

Therefore, this would work randomly at best.

Sorry,
0
 
LVL 7

Accepted Solution

by:
jmiller47 earned 300 total points
Comment Utility
It looks like this won't be possible even if you migrate your workstations to Windows XP. In group Policy, there is a GPO setting that allows you to define the DNS servers. You can apply that setting to computers, but not to specific users. This fast switching would be a great feature, but it looks like it's not possible right now. I don't even think there is an third-party application that can do it unless it runs under different credentials than the user so it has rights to change network settings. By default, users do not have the ability to change network settings.

0
 

Author Comment

by:Guncrazy
Comment Utility
Not possible, eh?  Well, I guess that just confirms what all of us down here figured out.  Just wanted to make sure we weren't missing anything.  Thanks.
0
 

Expert Comment

by:jboub
Comment Utility
Take a look at the Netsh command line tool found in XP or in the 2000 server resource kit. It allows you to change DNS setting via a bat file off a log in script.

Netsh interface ip set dns
"local area Connection"
static xxx.xxx.xxx.xxx

Jboub/MCSE
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now