Guncrazy
asked on
For 300 Points, Restrict Internet Access to Certain Workstation Users
I work for a company that uses a Windows NT 4.0 server-based single-domain network. Some of the client workstations are running Windows 2000 Professional.
Internet access on our network is controlled by manually pointing the workstation to a certain DNS server--DNSa for internet and intranet name resolution, DNSb for intranet name resolution only. This means that a workstation either has access to the internet, or it doesn't, regardless of who is logged on.
My problem is this: We have some Windows 2000 Professional workstations in public areas that are used by multiple users. Currently, all of these workstations are set to use DNSb, and can only access the intranet. However, there are some users who want to be able to login to these machines and, because they are authorized to access the internet, want to be able to access it on these public computers.
Is there a way to implement this?
Here are the scenarios that we've thought of and rejected:
(1) Set local NTFS permissions on the c:\PROGRAM FILES\INTERNET EXPLORER directory to allow only internet-authorized users to read and execute files in that directory. Rejected because it would prevent other users from accessing the intranet.
(2) Install two NICs, and enable booting to two different hardware profiles. Settings for one NIC would point to DNSa, and the other to DNSb. Each hardware profile would disable the unnecessary NIC. Rejected because there is nothing to prevent unauthorized users from selecting the internet-enabled hardware profile and logging in. Also, we don't want the users moving the cable themselves, and running an extra cable for the new NIC would be a PITA.
(3) Dual-boot to two different installations of Win2K. Each installation would be configured to use the appropriate DNS--one for DNSa, one for DNSb. Rejected, but will be considered if we can figure out a way to keep unauthorized domain users from logging into the workstation installation that points to DNSa.
Any other ideas?
Internet access on our network is controlled by manually pointing the workstation to a certain DNS server--DNSa for internet and intranet name resolution, DNSb for intranet name resolution only. This means that a workstation either has access to the internet, or it doesn't, regardless of who is logged on.
My problem is this: We have some Windows 2000 Professional workstations in public areas that are used by multiple users. Currently, all of these workstations are set to use DNSb, and can only access the intranet. However, there are some users who want to be able to login to these machines and, because they are authorized to access the internet, want to be able to access it on these public computers.
Is there a way to implement this?
Here are the scenarios that we've thought of and rejected:
(1) Set local NTFS permissions on the c:\PROGRAM FILES\INTERNET EXPLORER directory to allow only internet-authorized users to read and execute files in that directory. Rejected because it would prevent other users from accessing the intranet.
(2) Install two NICs, and enable booting to two different hardware profiles. Settings for one NIC would point to DNSa, and the other to DNSb. Each hardware profile would disable the unnecessary NIC. Rejected because there is nothing to prevent unauthorized users from selecting the internet-enabled hardware profile and logging in. Also, we don't want the users moving the cable themselves, and running an extra cable for the new NIC would be a PITA.
(3) Dual-boot to two different installations of Win2K. Each installation would be configured to use the appropriate DNS--one for DNSa, one for DNSb. Rejected, but will be considered if we can figure out a way to keep unauthorized domain users from logging into the workstation installation that points to DNSa.
Any other ideas?
You install an ISA server as a proxy server and configure it with respect to the groups you have. With this way, you can even restrict some users for some period of a day. This solves your problem without having two DNS servers.
ASKER
Whoops...should have stipulated: We can't purchase another server. We have to, if possible, make this work with existing software and hardware. Thanks, though.
Why not change the DNS server(s) in use as a part of the user logon process? If a generic user logs in the DNS points to the limited DNS servers. If a "privileged" user logs in you set the open DNS servers.
ASKER
JHANCE: That was actually proposed, but we didn't think it was possible. If you can be more specific about how to do this, and if it's workable for us, I'll accept it as an answer.
ASKER
Interesting program, but not a solution. First, it requires the user to change the settings, which we don't want them to be able to do (and would this program work if the user is not an administrator on the local machine?). Second, all we can work with is current hardware and software.
Well, clearly you know more about this than I do.
You have also placed impossible restrictions on yourself. Namely: "all we can work with is current hardware and software". So you're saying that unless you already have a solution in place and just don't know about it, there is nothing you can change. Good luck.
You have also placed impossible restrictions on yourself. Namely: "all we can work with is current hardware and software". So you're saying that unless you already have a solution in place and just don't know about it, there is nothing you can change. Good luck.
The only thing that I can possibly think of is to change the DNS server settings based on logon name. You can do this with your logon script. You will either need a command line utility or a vbs script. I will look up both and post here shortly unless someone else can find first.
Guncrazy, Can you please post whether you are running at least Internet Explorer 5.5 on all your workstations. I you are then a vbs script will work fine. If not, then you must use a command line utility only.
Guncrazy, Can you please post whether you are running at least Internet Explorer 5.5 on all your workstations. I you are then a vbs script will work fine. If not, then you must use a command line utility only.
The only thing that I can possibly think of is to change the DNS server settings based on logon name. You can do this with your logon script. You will either need a command line utility or a vbs script. I will look up both and post here shortly unless someone else can find first.
Guncrazy, Can you please post whether you are running at least Internet Explorer 5.5 on all your workstations. I you are then a vbs script will work fine. If not, then you must use a command line utility only.
Guncrazy, Can you please post whether you are running at least Internet Explorer 5.5 on all your workstations. I you are then a vbs script will work fine. If not, then you must use a command line utility only.
Sorry, I only posted that once. It seems there are command line utilities for doing this, but only for Windows 2000 machines. If you have Windows NT 4.0, the utilities will not work.
If you have IE 5.5 installed on all your workstations, I can write you a vbs script that will make changes to the registry based on user logon.
Please let me know.
If you have IE 5.5 installed on all your workstations, I can write you a vbs script that will make changes to the registry based on user logon.
Please let me know.
I don't think it's possible to use DNS to control Internet access on a per-user basis - except for some script that jhance had provide. However, you'll need to grant your users right to change the TCP/IP properties - which you do not want. DNS is machine specific.
How about setup some public machines to use DNSa and some to use DNSb?
If the users don't like it, tell them to ask the CEO to spend a bit more money on IT!!!
How about setup some public machines to use DNSa and some to use DNSb?
If the users don't like it, tell them to ask the CEO to spend a bit more money on IT!!!
ASKER
JMILLER: If you can tell me a little more about the script you propose, I'd appreciate it. You say the script wouldn't work on Win2K machines--remember, all of our servers are WinNT. We therefore aren't running Active Directory, either, if that's an issue. All browsers are at least IE5.5.
Of course, if it's impossible, it's impossible, and I'll accept a good explanation as an answer.
Of course, if it's impossible, it's impossible, and I'll accept a good explanation as an answer.
Actually, I said that a command-line utility would only work on 2000 (It has many more commandline utilities included and in the Resource Kit).
If you have other workstations that this needs to run on than just Windows 2000, then you can use a Visual Basic Script (.vbs) that would change registry settings.
I was unable to find a command-line Utility that would work in Windows 2000 and NT 4.0. Since the DNS Server settings are stored in the Registry, I think that a vbs script can be written then would overwrite the registry settings. If you ran this at logon, you could essentailly change the DNS settings upon logon.
Unfortunately, If the computer is on for an extended period of time, new DHCP settings (including DNS servers) could come into effect..
Therefore, this would work randomly at best.
Sorry,
If you have other workstations that this needs to run on than just Windows 2000, then you can use a Visual Basic Script (.vbs) that would change registry settings.
I was unable to find a command-line Utility that would work in Windows 2000 and NT 4.0. Since the DNS Server settings are stored in the Registry, I think that a vbs script can be written then would overwrite the registry settings. If you ran this at logon, you could essentailly change the DNS settings upon logon.
Unfortunately, If the computer is on for an extended period of time, new DHCP settings (including DNS servers) could come into effect..
Therefore, this would work randomly at best.
Sorry,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not possible, eh? Well, I guess that just confirms what all of us down here figured out. Just wanted to make sure we weren't missing anything. Thanks.
Take a look at the Netsh command line tool found in XP or in the 2000 server resource kit. It allows you to change DNS setting via a bat file off a log in script.
Netsh interface ip set dns
"local area Connection"
static xxx.xxx.xxx.xxx
Jboub/MCSE
Netsh interface ip set dns
"local area Connection"
static xxx.xxx.xxx.xxx
Jboub/MCSE