Lockdown Internet Access but not Intranet via a GPO.

Just curious if this is possible. I would like lockdown internet access but not intranet access for an OU via a GPO, is this possible?


Thanks
GovnahAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wesly_chenCommented:
Hi,

> lockdown internet access but not intranet access for an OU
It's doable. However, what' GPO?

Wesly
0
GovnahAuthor Commented:
GPO (Group Policy Object).
0
rindiCommented:
I've had a similar problem and was told you could not. Your option is to install a proxy server which needs a login if someone wants to connect to the internet. Another possibility is to set an inexistant proxy address in the Connections of your internet properties and then you can use GPO to restrict access to that tab, so the users can't change that address. I don't like that one though, because you can still connect to the internet using other options like another browser which has its own internet connection settings. You might also think of setting up your DHCP Server to supply a wrong gateway address, so those PCs using dynamic IP Adresses wouldn't find the gateway.
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

kain21Commented:
by lockdown do you mean security settings?
if so, this can be accomplished through group policy

or just not allow any access to the internet but still allow access to the internet?
if so, if all computers are on the same subnet you could eliminate the default gateway altogether which would prevent access to any computer not on the internal subnet...

0
kain21Commented:
or just not allow any access to the internet but still allow access to the internet?

change that to allow access to the intranet...
0
GovnahAuthor Commented:
Intranet access and no Internet access. hey are on the same subnet but the need to get to other subnets w/in hospital. So I guess the only answer is to use a proxy server....
0
kain21Commented:
there's a couple of other options... do you know all of the subnets they need access to... if so you could specify specific routes for the subnets they need then route 0.0.0.0 (which would include all address it doesn't have a route for) and loop it back at itself... requests would timeout...
0
Andy KeeneyCommented:
Your Router should have the ability to deny traffic from a certain iP address.  The downside is that anyone who logs into that machine can not get online.  And if you are running DHCP you would have to set up a reservation on your dhcp server for that/those particular computer(s)
0
knightfoxCommented:
ok this is very do-able...

You need to make sure that you have removed all access to the connection tab in internet explorer, I take it at the moment you specify the proxy to use via a GPO??? If you dont create a GPO called internet & email settings fire it down to a test station, i believe the path is

User Config\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

this way users cant change the setting to give themselves access back!!  To specify the current proxy to users that need internet access you need specify in the internet & email GPO the proxy server to use, and also add by pass addresses for internal hosts... the main one in this case being

http://intranet

you can set the proxy here i believe

User Configuration, Windows Settings, Internet Explorer Maintenance, Connection
Proxy Settings (Proxy Servers and Exceptions)

Ok so now you are controling what proxy to use and users can no longer set there own. both these settings are on the USER Config of the GPO....!!

We use this method at work, the easyest way to achieve this is firstly create a Global Security Group called

Internet Disabled  This will of course be the group you add members to to disable the internet for them....

the second part is to create a GPO called internet disabled, and again set the proxy to address=blank and the port=80 this way the system will try and use a blank proxy.. and well you guessed it .. wont work.  

now all you have todo is again using a GPO, sorry but i cant remmeber the path, its in the IE section somewhere, you need to set the default home page to http://intranet this way you disabled users will still get a home page.

ok.. almost there.. all you need to do now is add some test users  into the internet disabled group and as if my magic the T-int-terrrnet tis gone...:))

any probs drop me a line back

knightfox
MCSE 2000/2003, CCNA, CompTA Security +

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PeregianCommented:
You could use a mesh box from www.locustworld.com , I'm sure someone on the mailing list mentioned setting up a 2 lan card device that uses a captive portal  requiring a username and password to access the internet. The software is free and you can use an old pc as gateway machine, just put it between the internet connection and the network.
Peter
0
rindiCommented:
Peregian, that looks something like the proxy solution...

Knightfox, i don't think Govnah yet has a proxy server installed, at least i'm interpreting things that way. Right, Govnah?
0
PeregianCommented:
Its not a proxy more a gateway control. Your meshbox will allow internet access to any computer on the lan as long as they have been given a username and password by you and you can add mac address authentication too. Basically your network doesn't change at all, you just have to get authenticated when you want to access the internet. If you go to any computer on the network and open a browser it will take you to a webpage than has a username and password box on it. No authentication no internet. Perfect solution if you want to be able to fully control who gets access to the net. You can customise the splash page with your own html too. You can also setup your own day long ticketed solution for visitors too. You will need to join mailing list and ask the questions but it has been done before and the setup is simpler than you think when you first look at it. If you have an old P11 computer with 128mb ram and two network cards then your ready to start testing.
0
knightfoxCommented:
The principal is still the same....

Even if you are using a default gateway IP as the outbound address then, the proxy server can still be set to nothing to stop internet access.. it will still try and find a proxy that doesnt exist!!

fox
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.