Lockdown Internet Access but not Intranet via a GPO.

Hi,

> lockdown internet access but not intranet access for an OU
It's doable. However, what' GPO?

Wesly

GPO (Group Policy Object).

I've had a similar problem and was told you could not. Your option is to install a proxy server which needs a login if someone wants to connect to the internet. Another possibility is to set an inexistant proxy address in the Connections of your internet properties and then you can use GPO to restrict access to that tab, so the users can't change that address. I don't like that one though, because you can still connect to the internet using other options like another browser which has its own internet connection settings. You might also think of setting up your DHCP Server to supply a wrong gateway address, so those PCs using dynamic IP Adresses wouldn't find the gateway.

by lockdown do you mean security settings?
if so, this can be accomplished through group policy

or just not allow any access to the internet but still allow access to the internet?
if so, if all computers are on the same subnet you could eliminate the default gateway altogether which would prevent access to any computer not on the internal subnet...

or just not allow any access to the internet but still allow access to the internet?

change that to allow access to the intranet...

Intranet access and no Internet access. hey are on the same subnet but the need to get to other subnets w/in hospital. So I guess the only answer is to use a proxy server....

there's a couple of other options... do you know all of the subnets they need access to... if so you could specify specific routes for the subnets they need then route 0.0.0.0 (which would include all address it doesn't have a route for) and loop it back at itself... requests would timeout...

Your Router should have the ability to deny traffic from a certain iP address.  The downside is that anyone who logs into that machine can not get online.  And if you are running DHCP you would have to set up a reservation on your dhcp server for that/those particular computer(s)

You could use a mesh box from www.locustworld.com , I'm sure someone on the mailing list mentioned setting up a 2 lan card device that uses a captive portal  requiring a username and password to access the internet. The software is free and you can use an old pc as gateway machine, just put it between the internet connection and the network.
Peter

Peregian, that looks something like the proxy solution...

Knightfox, i don't think Govnah yet has a proxy server installed, at least i'm interpreting things that way. Right, Govnah?

Its not a proxy more a gateway control. Your meshbox will allow internet access to any computer on the lan as long as they have been given a username and password by you and you can add mac address authentication too. Basically your network doesn't change at all, you just have to get authenticated when you want to access the internet. If you go to any computer on the network and open a browser it will take you to a webpage than has a username and password box on it. No authentication no internet. Perfect solution if you want to be able to fully control who gets access to the net. You can customise the splash page with your own html too. You can also setup your own day long ticketed solution for visitors too. You will need to join mailing list and ask the questions but it has been done before and the setup is simpler than you think when you first look at it. If you have an old P11 computer with 128mb ram and two network cards then your ready to start testing.

The principal is still the same....

Even if you are using a default gateway IP as the outbound address then, the proxy server can still be set to nothing to stop internet access.. it will still try and find a proxy that doesnt exist!!

fox