Solved

Prevent users from downloading files from the internet

Posted on 2004-04-18
21
272 Views
Last Modified: 2013-12-04
I work in a educational environment with windows 2000 servers and clients, I also have ISA server 2000 running in integrated mode.  The GPO setup is such that I have OUs for Pupils and OUs for Teachers, the pupils are further broken down into year groups.  What I want to be able to do is to prevent the students from downloading files from the internet and executing them on their local machines.  I don't want to restrict the teachers from doing so.  What is the best way for me to do this.  

If it is through GPO could you give me the instructions on how to do this rather than saying "through GPO" as I have this answer from a different forum and is not particularly helpful.  I have noticed that this particular forum tends to be more descriptive.

If it is via logon script then a an explanation as to what it should look like and where it should go would be helpful.

0
Comment
Question by:seatea
  • 10
  • 8
21 Comments
 
LVL 7

Expert Comment

by:IceRaven
ID: 10852713
Hi seatea,

1) Edit GPO and go to User Configuration >> Windows Settings >> Internet
Explorer Maintenance >> Security >> Security Zones and Content Ratings

2) Check "Import the current security zones settings" under "Security
Zones" and click on "Modify Settings"

3) Select 'Internet' and click on "Custom Level"

4) Scroll down to 'Downloads' section and disable "File Download"

Is this enough info or do you require some more general information about how to applu a GPO to an OU?

Cheers,
IceRaven
0
 

Author Comment

by:seatea
ID: 10852752
Hi IceRaven

Believe it or not I have actually done this, however the effect it has is that it applies that setting to the whole domain so then the teachers are unable to download.

My GPOs are set like this

school
     - pupils
          y7
          y8
          y9
          y10
          y10
          y11
          y12
          y13
     - Teachers

The pupils OU has a Group Policy called students that applies the specifice policies to the year groups, the Teachers OU has its own Group Policy called Teachers that applies policies to the Teachers.  If I make the suggested change to the pupils it also makes the change in the Teachers Group Policy.
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10852770
Well that should not be :)  I hope that is comforting :)

So the GPO is called Students and it applies to the Pupils object unit.

You make the suggested change to the students GPO and the teachers OU recieves that change also.
So now both the students and the teachers can no longer download files, that that correct?

Keep the settings like this.  Check the GPO on the teachers OU and the GPO on the school and the domain for any other modification to the Security Settings for IE.

Run
gpupdate / force
on the domain controller.

The login as a teacher on a computer and run
rsop.msc
and see if the policy has applied.

Cheers,
IceRaven
0
 

Author Comment

by:seatea
ID: 10852811
Thanks for your help IceRaven

It should not be!! GRRRR  I know!!  :)

The suggestions as to the GPO settings are correct.

I will try this in the morning.  Its only 12.30 pm on Sunday here but the students return after an easter break tomorrow and I have made lots of changes during the holiday downtime including the installation of ISA server 2000 which I hoped would do this job for me but only seems to tackle the ftp downloads.  

As a matter of interest could  you explain what the gpupdate / force does (and is there a gap between "/" and "force"? Does this force the group policy to update the changes made?

This is the most help I have had on the subject to date despite numerous postings elsewhere so hopefully it will do the trick.

Thanks
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10852837
gpupdate - Is for use on Win2003 Servers / WinXP Machines... sorry I have made that mistake before... DOH

This explains the command and also what the force switch achieves.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/refrgp.mspx

For the use on your Win2000 domain controller use these two commands.

secedit /refreshpolicy user_policy /enforce
secedit /refreshpolicy machine_policy /enforce

One refreshs the user policies, the other the machines.
The /enforce switch means refresh even if nothing has changed.
There is a gap everytime there is a /

Appologies for leading you astray there, hopefully this is the last time I will make that mistake.   I work with Win2003 Servers and I am trained in Win2000 so the little differences like this often catch me.

Cheers,
IceRaven.
0
 

Author Comment

by:seatea
ID: 10857388
OK so I checked the policies for the domain, teachers and students.  The students are set to import settings and have file download disabled.  The teachers have the settings as do not import settings as does the domain.

I have run both secedit commands

however when i ran the rsop.msc it told me that "cannot find the file 'rsop.msc (or any of its components)".  Is this also realted to XP?

The result is that the students are prevented from donwloading...and so are the teachers - the awkward thing also is that I as the administrator cannot download either.  If I change the setting in internet explorer/internet options/security/custom level back to enable download it then reactivates the rest of the school.
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10857447
Well, These websites

http://www.paknet.com.pk/win2000se.php
http://www.onecomputerguy.com/windows2000_tips.htm

seem to think that it is part of Windows 2000.

However other sources state that this tool, gpresult
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp
is used on windows 2000 clients.

I have just tested it and it works fine on XP also.  It's a command line util, so go to a command prompt first.  If you could post the result of the command here it would be much appreciated.

eg gpresult > mylog.txt

Will dump the results into the mylong.txt file, so you can paste them here.

Cheers,
IceRaven.

0
 

Author Comment

by:seatea
ID: 10857940
Here we go, I ran gpresult > mylog.txt from the command prompt at the domain controller logged on as administrator:

---------------------------------

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on 19 April 2004 at 10:23:43


Operating System Information:

Operating System Type:            Domain Controller
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            None

###############################################################

  User Group Policy results for:

  CN=Administrator,CN=Users,DC=school,DC=local

  Domain Name:            SCHOOL
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:      C:\Documents and Settings\Administrator

  The user is a member of the following security groups:

      SCHOOL\Domain Users
      \Everyone
      SCHOOL\Nero
      BUILTIN\Administrators
      BUILTIN\Users
      BUILTIN\Pre-Windows 2000 Compatible Access
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL
      SCHOOL\ICT
      SCHOOL\Schema Admins
      SCHOOL\Domain Admins
      SCHOOL\ICT Students
      SCHOOL\Group Policy Creator Owners
      SCHOOL\Enterprise Admins


###############################################################

Last time Group Policy was applied: 19 April 2004 at 10:23:35
Group Policy was applied from: SCHOOL-FS1.SCHOOL.local


===============================================================


The user received "Registry" settings from these GPOs:

      Default Domain Policy


===============================================================
The user received "Scripts" settings from these GPOs:

      Default Domain Policy


===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

      Default Domain Policy



###############################################################

  Computer Group Policy results for:

  CN=SCHOOL-FS1,OU=Domain Controllers,DC=SCHOOL,DC=local

  Domain Name:            SCHOOL
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      SCHOOL\RAS and IAS Servers
      BUILTIN\Pre-Windows 2000 Compatible Access
      BUILTIN\Users
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      SCHOOL\SCHOOL-FS1$
      SCHOOL\Domain Controllers
      NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

###############################################################

Last time Group Policy was applied: 19 April 2004 at 10:18:46
Group Policy was applied from: SCHOOL-FS1.SCHOOL.local


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


===============================================================
The computer received "Scripts" settings from these GPOs:

      Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
      Default Domain Controllers Policy
      Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
      Default Domain Policy

------------------------------------------END

I hope this makes sense to you.  I tried it as a teacher on a workstation but it did not recognise the command, likewise tried it as administrator on a workstation but did not like it.

0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10858117
It needs to be run on the workstation.

Log on as a teacher
Make sure the teacher still can't download anything.
take the file over on a CD, or floppy
Run it
If there are errors please post them, otherwise please post the result.

IceRaven.
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 

Author Comment

by:seatea
ID: 10858803
IceRaven, here is the Teacher logon file:

------------------------------------------------

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on 19 April 2004 at 13:19:53


Operating System Information:

Operating System Type:            Professional
Operating System Version:      5.0.2195.Service Pack 3
Terminal Server Mode:            Not supported

###############################################################

  User Group Policy results for:

  CN=A. Clarke,OU=Teachers,OU=Staff,OU=schoolCurriculum,DC=school,DC=local

  Domain Name:            school
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      \\school-fs1\profile share\teachers
  Local profile:      C:\Documents and Settings\clarkea

  The user is a member of the following security groups:

      school\Domain Users
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL
      school\Teachers
      school\English


###############################################################

Last time Group Policy was applied: 19 April 2004 at 13:19:34
Group Policy was applied from: school-fs1.school.local


===============================================================


The user received "Registry" settings from these GPOs:

      StaffPolicy
      Teachers
      Default Domain Policy


===============================================================
The user received "Folder Redirection" settings from these GPOs:

      StaffPolicy
      Teachers


===============================================================
The user received "Scripts" settings from these GPOs:

      Default Domain Policy


===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

      StaffPolicy
      Default Domain Policy



###############################################################

  Computer Group Policy results for:

  CN=THS-2002,CN=Computers,DC=school,DC=local

  Domain Name:            school
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      school\THS-2002$
      school\Domain Computers

###############################################################

Last time Group Policy was applied: 19 April 2004 at 13:11:19
Group Policy was applied from: school-fs1.school.local


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


===============================================================
The computer received "Scripts" settings from these GPOs:

      Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

      Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
      Default Domain Policy

----------------------------------------------------------------END

cheers
seatea
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10859460
It looks fine!!!  I have an idea...

Right click the offending group policy object and select properties, click the security tab,

Deny the ability to read and apply group policy to the Staff Users.  So in other words even if it was applied to them they don't have the permission to read it.  Give it a go for me please.

Cheers,
Ice Raven.
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10859516
If you don't have a staff security group just add in the user that you are testing with to see if the theory works.  The other diagnostic tool used to solve GP problems is Group Policy Management Console.

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

However it requires an Windows XP Machine to run, connected to your 2000 DC.

Cheers,
IceRaven.
0
 

Author Comment

by:seatea
ID: 10860030
I have now done this. Thankfully i created a new group in order to test this theory as when i deny the read and apply group policy it will not let me back in.  

Still no joy though I'm afraid.  I really thought this wouldn't be a major problem, clearly I was wrong!!!

Listen I really appreciate your assitance with this and hope it is not taking up too much of your time.

seatea
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10864664


What do you mean by "not let you back in"?  Not let you back in to look at the GPO?  I am guessing your account is a member of staff, which as you denided access to that group hence you denided access to yourself.
So when you did this, did you refresh the policy and then log in as a teacher, try and access the internet and you still couldn't download files?
I'm not sure where to go from here, how can that policy apply itself to the teachers if they are denided access!
I have another idea to narrow down the problem area, create an account that is only a domain user, thats it no other group, don't move it from the default OU, then log in on the offending computer as that user, can that user download files from the internet?

Cheers,
IceRaven
0
 

Author Comment

by:seatea
ID: 10866536
Yes, by denying the ability to read and apply group policy to the staff users, it wouldn't let me back in to return it to permit read and apply group policy.

I refreshed the policy as before.

Even purely as a domain user it will not allow me to download.

I find this a really confusing element to AD as the setting that is made is to the user configuration and by that definition you would think that if you have one set of users assigned to one group and denied downloading ability and another set of users assigned to another group permitted downloading ability that it would work.



0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10866582
I have found something else,  It only applied if the clients are running IE 6.... see what you think.  It sound very similar to your problem.

http://support.microsoft.com/default.aspx?kbid=316116

Cheers,
IceRaven.
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10866593
In your comment you are completely right, it shouldn't be doing this.  Only computer policies that apply to the computer and only user policies apply to the user.  You sure have managed to find something interesting going on here :)

Cheers,
IceRaven
0
 

Author Comment

by:seatea
ID: 10890744
Ok now I have contacted microsoft for the patch which replaces the existing intres.adm file.  Alas, it still doesn't work.  I may have to look out for some decent third party software to conquer the problem!!
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 11522222
PAQed, with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now