Solved

For 300 Points, Restrict Internet Access to Certain Workstation Users

Posted on 2002-04-16
16
1,172 Views
Last Modified: 2010-04-13
I work for a company that uses a Windows NT 4.0 server-based single-domain network.  Some of the client workstations are running Windows 2000 Professional.

Internet access on our network is controlled by manually pointing the workstation to a certain DNS server--DNSa for internet and intranet name resolution, DNSb for intranet name resolution only.  This means that a workstation either has access to the internet, or it doesn't, regardless of who is logged on.

My problem is this:  We have some Windows 2000 Professional workstations in public areas that are used by multiple users.  Currently, all of these workstations are set to use DNSb, and can only access the intranet.  However, there are some users who want to be able to login to these machines and, because they are authorized to access the internet, want to be able to access it on these public computers.

Is there a way to implement this?

Here are the scenarios that we've thought of and rejected:

(1) Set local NTFS permissions on the c:\PROGRAM FILES\INTERNET EXPLORER directory to allow only internet-authorized users to read and execute files in that directory.  Rejected because it would prevent other users from accessing the intranet.

(2) Install two NICs, and enable booting to two different hardware profiles.  Settings for one NIC would point to DNSa, and the other to DNSb.  Each hardware profile would disable the unnecessary NIC.  Rejected because there is nothing to prevent unauthorized users from selecting the internet-enabled hardware profile and logging in.  Also, we don't want the users moving the cable themselves, and running an extra cable for the new NIC would be a PITA.

(3) Dual-boot to two different installations of Win2K.  Each installation would be configured to use the appropriate DNS--one for DNSa, one for DNSb.  Rejected, but will be considered if we can figure out a way to keep unauthorized domain users from logging into the workstation installation that points to DNSa.

Any other ideas?
0
Comment
Question by:Guncrazy
  • 5
  • 5
  • 3
  • +3
16 Comments
 
LVL 3

Expert Comment

by:cincin77
ID: 6945315
You install an ISA server as a proxy server and configure it with respect to the groups you have. With this way, you can even restrict some users for some period of a day. This solves your problem without having two DNS servers.
0
 

Author Comment

by:Guncrazy
ID: 6945350
Whoops...should have stipulated: We can't purchase another server.  We have to, if possible, make this work with existing software and hardware.  Thanks, though.
0
 
LVL 32

Expert Comment

by:jhance
ID: 6945384
Why not change the DNS server(s) in use as a part of the user logon process?  If a generic user logs in the DNS points to the limited DNS servers. If a "privileged" user logs in you set the open DNS servers.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:Guncrazy
ID: 6945561
JHANCE:  That was actually proposed, but we didn't think it was possible.  If you can be more specific about how to do this, and if it's workable for us, I'll accept it as an answer.
0
 
LVL 32

Expert Comment

by:jhance
ID: 6945592
My favorite solution would be:

http://www.netswitcher.com
0
 

Author Comment

by:Guncrazy
ID: 6945620
Interesting program, but not a solution.  First, it requires the user to change the settings, which we don't want them to be able to do (and would this program work if the user is not an administrator on the local machine?).  Second, all we can work with is current hardware and software.
0
 
LVL 32

Expert Comment

by:jhance
ID: 6945657
Well, clearly you know more about this than I do.  

You have also placed impossible restrictions on yourself.  Namely: "all we can work with is current hardware and software".  So you're saying that unless you already have a solution in place and just don't know about it, there is nothing you can change.  Good luck.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 6948309
The only thing that I can possibly think of is to change the DNS server settings based on logon name. You can do this with your logon script. You will either need a command line utility or a vbs script. I will look up both and post here shortly unless someone else can find first.

Guncrazy, Can you please post whether you are running at least Internet Explorer 5.5 on all your workstations. I you are then a vbs script will work fine. If not, then you must use a command line utility only.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 6948366
The only thing that I can possibly think of is to change the DNS server settings based on logon name. You can do this with your logon script. You will either need a command line utility or a vbs script. I will look up both and post here shortly unless someone else can find first.

Guncrazy, Can you please post whether you are running at least Internet Explorer 5.5 on all your workstations. I you are then a vbs script will work fine. If not, then you must use a command line utility only.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 6948379
Sorry, I only posted that once. It seems there are command line utilities for doing this, but only for Windows 2000 machines. If you have Windows NT 4.0, the utilities will not work.

If you have IE 5.5 installed on all your workstations, I can write you a vbs script that will make changes to the registry based on user logon.

Please let me know.
0
 
LVL 5

Expert Comment

by:matt023
ID: 6949555
I don't think it's possible to use DNS to control Internet access on a per-user basis - except for some script that jhance had provide.  However, you'll need to grant your users right to change the TCP/IP properties - which you do not want.  DNS is machine specific.  
How about setup some public machines to use DNSa and some to use DNSb?  
If the users don't like it, tell them to ask the CEO to spend a bit more money on IT!!!
0
 

Author Comment

by:Guncrazy
ID: 6950748
JMILLER: If you can tell me a little more about the script you propose, I'd appreciate it.  You say the script wouldn't work on Win2K machines--remember, all of our servers are WinNT.  We therefore aren't running Active Directory, either, if that's an issue. All browsers are at least IE5.5.

Of course, if it's impossible, it's impossible, and I'll accept a good explanation as an answer.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 6951403
Actually, I said that a command-line utility would only work on 2000 (It has many more commandline utilities included and in the Resource Kit).

If you have other workstations that this needs to run on than just Windows 2000, then you can use a Visual Basic Script (.vbs) that would change registry settings.

I was unable to find a command-line Utility that would work in Windows 2000 and NT 4.0. Since the DNS Server settings are stored in the Registry, I think that a vbs script can be written then would overwrite the registry settings. If you ran this at logon, you could essentailly change the DNS settings upon logon.

Unfortunately, If the computer is on for an extended period of time, new DHCP settings (including DNS servers) could come into effect..

Therefore, this would work randomly at best.

Sorry,
0
 
LVL 7

Accepted Solution

by:
jmiller47 earned 300 total points
ID: 6954099
It looks like this won't be possible even if you migrate your workstations to Windows XP. In group Policy, there is a GPO setting that allows you to define the DNS servers. You can apply that setting to computers, but not to specific users. This fast switching would be a great feature, but it looks like it's not possible right now. I don't even think there is an third-party application that can do it unless it runs under different credentials than the user so it has rights to change network settings. By default, users do not have the ability to change network settings.

0
 

Author Comment

by:Guncrazy
ID: 6954860
Not possible, eh?  Well, I guess that just confirms what all of us down here figured out.  Just wanted to make sure we weren't missing anything.  Thanks.
0
 

Expert Comment

by:jboub
ID: 10261424
Take a look at the Netsh command line tool found in XP or in the 2000 server resource kit. It allows you to change DNS setting via a bat file off a log in script.

Netsh interface ip set dns
"local area Connection"
static xxx.xxx.xxx.xxx

Jboub/MCSE
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server Hard Drive Expansion 2 153
HP ML 110: This System is not supported platform 1 514
How to change folder redirection to a new server 5 739
Images sometimes not printed 6 481
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question