?
Solved

Lockdown Internet Access but not Intranet via a GPO.

Posted on 2004-11-08
14
Medium Priority
?
810 Views
Last Modified: 2011-09-20
Just curious if this is possible. I would like lockdown internet access but not intranet access for an OU via a GPO, is this possible?


Thanks
0
Comment
Question by:Govnah
  • 3
  • 2
  • 2
  • +4
13 Comments
 
LVL 38

Expert Comment

by:wesly_chen
ID: 12525639
Hi,

> lockdown internet access but not intranet access for an OU
It's doable. However, what' GPO?

Wesly
0
 

Author Comment

by:Govnah
ID: 12525661
GPO (Group Policy Object).
0
 
LVL 88

Expert Comment

by:rindi
ID: 12525705
I've had a similar problem and was told you could not. Your option is to install a proxy server which needs a login if someone wants to connect to the internet. Another possibility is to set an inexistant proxy address in the Connections of your internet properties and then you can use GPO to restrict access to that tab, so the users can't change that address. I don't like that one though, because you can still connect to the internet using other options like another browser which has its own internet connection settings. You might also think of setting up your DHCP Server to supply a wrong gateway address, so those PCs using dynamic IP Adresses wouldn't find the gateway.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 8

Expert Comment

by:kain21
ID: 12525751
by lockdown do you mean security settings?
if so, this can be accomplished through group policy

or just not allow any access to the internet but still allow access to the internet?
if so, if all computers are on the same subnet you could eliminate the default gateway altogether which would prevent access to any computer not on the internal subnet...

0
 
LVL 8

Expert Comment

by:kain21
ID: 12525766
or just not allow any access to the internet but still allow access to the internet?

change that to allow access to the intranet...
0
 

Author Comment

by:Govnah
ID: 12525771
Intranet access and no Internet access. hey are on the same subnet but the need to get to other subnets w/in hospital. So I guess the only answer is to use a proxy server....
0
 
LVL 8

Expert Comment

by:kain21
ID: 12525801
there's a couple of other options... do you know all of the subnets they need access to... if so you could specify specific routes for the subnets they need then route 0.0.0.0 (which would include all address it doesn't have a route for) and loop it back at itself... requests would timeout...
0
 
LVL 4

Expert Comment

by:Andy Keeney
ID: 12527111
Your Router should have the ability to deny traffic from a certain iP address.  The downside is that anyone who logs into that machine can not get online.  And if you are running DHCP you would have to set up a reservation on your dhcp server for that/those particular computer(s)
0
 
LVL 7

Accepted Solution

by:
knightfox earned 500 total points
ID: 12527922
ok this is very do-able...

You need to make sure that you have removed all access to the connection tab in internet explorer, I take it at the moment you specify the proxy to use via a GPO??? If you dont create a GPO called internet & email settings fire it down to a test station, i believe the path is

User Config\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

this way users cant change the setting to give themselves access back!!  To specify the current proxy to users that need internet access you need specify in the internet & email GPO the proxy server to use, and also add by pass addresses for internal hosts... the main one in this case being

http://intranet

you can set the proxy here i believe

User Configuration, Windows Settings, Internet Explorer Maintenance, Connection
Proxy Settings (Proxy Servers and Exceptions)

Ok so now you are controling what proxy to use and users can no longer set there own. both these settings are on the USER Config of the GPO....!!

We use this method at work, the easyest way to achieve this is firstly create a Global Security Group called

Internet Disabled  This will of course be the group you add members to to disable the internet for them....

the second part is to create a GPO called internet disabled, and again set the proxy to address=blank and the port=80 this way the system will try and use a blank proxy.. and well you guessed it .. wont work.  

now all you have todo is again using a GPO, sorry but i cant remmeber the path, its in the IE section somewhere, you need to set the default home page to http://intranet this way you disabled users will still get a home page.

ok.. almost there.. all you need to do now is add some test users  into the internet disabled group and as if my magic the T-int-terrrnet tis gone...:))

any probs drop me a line back

knightfox
MCSE 2000/2003, CCNA, CompTA Security +

0
 
LVL 2

Expert Comment

by:Peregian
ID: 12532185
You could use a mesh box from www.locustworld.com , I'm sure someone on the mailing list mentioned setting up a 2 lan card device that uses a captive portal  requiring a username and password to access the internet. The software is free and you can use an old pc as gateway machine, just put it between the internet connection and the network.
Peter
0
 
LVL 88

Expert Comment

by:rindi
ID: 12542009
Peregian, that looks something like the proxy solution...

Knightfox, i don't think Govnah yet has a proxy server installed, at least i'm interpreting things that way. Right, Govnah?
0
 
LVL 2

Expert Comment

by:Peregian
ID: 12542613
Its not a proxy more a gateway control. Your meshbox will allow internet access to any computer on the lan as long as they have been given a username and password by you and you can add mac address authentication too. Basically your network doesn't change at all, you just have to get authenticated when you want to access the internet. If you go to any computer on the network and open a browser it will take you to a webpage than has a username and password box on it. No authentication no internet. Perfect solution if you want to be able to fully control who gets access to the net. You can customise the splash page with your own html too. You can also setup your own day long ticketed solution for visitors too. You will need to join mailing list and ask the questions but it has been done before and the setup is simpler than you think when you first look at it. If you have an old P11 computer with 128mb ram and two network cards then your ready to start testing.
0
 
LVL 7

Expert Comment

by:knightfox
ID: 12544989
The principal is still the same....

Even if you are using a default gateway IP as the outbound address then, the proxy server can still be set to nothing to stop internet access.. it will still try and find a proxy that doesnt exist!!

fox
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days socially coordinated efforts have turned into a critical requirement for enterprises.
In this tutorial, we’re going to learn how to convert Youtube to mp3 for Free. We'll show you how easy it is to make an mp3 from your video clips so that you can enjoy them offline.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question