Carlos-jm
asked on
Block Internet Access to a user using Group Policy on a 2003 Domain
Hi everyone
I've a 2003 server with 80 wokstarions and 120 users.
All workstation are P IV with XP Pro SP1
I do not have a proxy server.
I can buy one but I would like to know if group policy on a 2003 server domain can do the job.
I've tried to disable the use of IE to some users with Group Policy but that is made based on the .exe name and
they just install another browser or rename IE .exe name and I need to block MSN Messenger etc ....
On the same workstation I've users that need to access internet and others that do not and may not access
need help !
thank you all
Carlos
I've a 2003 server with 80 wokstarions and 120 users.
All workstation are P IV with XP Pro SP1
I do not have a proxy server.
I can buy one but I would like to know if group policy on a 2003 server domain can do the job.
I've tried to disable the use of IE to some users with Group Policy but that is made based on the .exe name and
they just install another browser or rename IE .exe name and I need to block MSN Messenger etc ....
On the same workstation I've users that need to access internet and others that do not and may not access
need help !
thank you all
Carlos
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Carlos-jm
Assigning limited access to users is difficult - if they have local administrator privs.
However, you can set a non-existent proxy with GPOs and then use GPOs to deny access to the connections page on the IE options dialog. But this will not stop them installing a different browser.
I can give you the GPO options and settings if you think this is the route you want to take, but if they are prepared to install different browsers you cannot stop them without a proxy server that integrates into AD and is therefore capable of assigning access by user account.
I can also give you GPO settings that will remove them from the local administrators group on all machines!
How do you want to proceed?
Cheers
JamesDS
Assigning limited access to users is difficult - if they have local administrator privs.
However, you can set a non-existent proxy with GPOs and then use GPOs to deny access to the connections page on the IE options dialog. But this will not stop them installing a different browser.
I can give you the GPO options and settings if you think this is the route you want to take, but if they are prepared to install different browsers you cannot stop them without a proxy server that integrates into AD and is therefore capable of assigning access by user account.
I can also give you GPO settings that will remove them from the local administrators group on all machines!
How do you want to proceed?
Cheers
JamesDS
MS claims IE integral to OS.
To block, HW is still best.
A) Have no HW connected to internet
If you need internet, you should not block.
If you must block, then you have no need
B) Have the HW filter set up to deny access to IP addresses
Where you have one LAN for local net, one for all net, this is trivial
C) Allow surfing
If you cannot trust employee staff behavior, then you also do not need them to access any computer.
Where there is abuse, try replacing, it is currently a hirers market, with abundance of job seekers
To block, HW is still best.
A) Have no HW connected to internet
If you need internet, you should not block.
If you must block, then you have no need
B) Have the HW filter set up to deny access to IP addresses
Where you have one LAN for local net, one for all net, this is trivial
C) Allow surfing
If you cannot trust employee staff behavior, then you also do not need them to access any computer.
Where there is abuse, try replacing, it is currently a hirers market, with abundance of job seekers
SunBow
Not sure what you are trying to say here ?
Sure, the IE browser is integral to the OS, but that doesn't stop a local administrator user installing another browser. There are a variety of IE alternatives - none of which is forced to use the IE options controls and therefore is independant of the built in and default GPOs.
I disagree that access to the internet is either all or nothing, as you seem to be suggesting. Consider the call centre or the security guard on a night shift, who are given a machine for a specific task. These people have no business need for access to the internet, but the same people using the machine (with the same IP) at other times may have a legitimate use for it.
To be usefully controlled, internet access should be assigned by user.
In most operations users are not granted local administrative privs and so cannot install an alternate browser. This allows us to easily lock down internet access by user, using user-based GPOs and GPO apply groups. In this case the users are apparently local administrators, so access must be handled externally to the local machine and existing domain infrastructure with a proxy server - but still on a per-user basis.
There is a stark difference between trusting your users not to look at, and distribute illegal porn and trusting your users not to sit around all day and look at holiday websites and ebay. Many users do not see a problem with wasting company time on the internet. Further, you cannot fire someone (in the UK) for playing on the internet all day unless you go through a "3 strikes and you're out" type procedure - otherwise you are simply opening yourself up to an unfair dismissal lawsuit, which you will then lose.
Cheers
JamesDS
Not sure what you are trying to say here ?
Sure, the IE browser is integral to the OS, but that doesn't stop a local administrator user installing another browser. There are a variety of IE alternatives - none of which is forced to use the IE options controls and therefore is independant of the built in and default GPOs.
I disagree that access to the internet is either all or nothing, as you seem to be suggesting. Consider the call centre or the security guard on a night shift, who are given a machine for a specific task. These people have no business need for access to the internet, but the same people using the machine (with the same IP) at other times may have a legitimate use for it.
To be usefully controlled, internet access should be assigned by user.
In most operations users are not granted local administrative privs and so cannot install an alternate browser. This allows us to easily lock down internet access by user, using user-based GPOs and GPO apply groups. In this case the users are apparently local administrators, so access must be handled externally to the local machine and existing domain infrastructure with a proxy server - but still on a per-user basis.
There is a stark difference between trusting your users not to look at, and distribute illegal porn and trusting your users not to sit around all day and look at holiday websites and ebay. Many users do not see a problem with wasting company time on the internet. Further, you cannot fire someone (in the UK) for playing on the internet all day unless you go through a "3 strikes and you're out" type procedure - otherwise you are simply opening yourself up to an unfair dismissal lawsuit, which you will then lose.
Cheers
JamesDS
ASKER
But I still have a problem, or I'm not understanding right.
- Access block is assigned to a computer, I NEED IT to be assigned to a USER on any computer he uses
Thank you
Carlos