What is the most sensible and non expensive way to separate the student and teachers areas of a secondary school LAN

Posted on 2004-11-30
Last Modified: 2010-04-11
Here in Norway, the school authorities recommend that we use two separate networks for students and teachers.

But is that really necessary?

Isn't it enough with a single 2003 server domain, well set up group policies and permissions?  A password on the bios.  Use a group  policy to force student PCs to log onto the domain.  (although I'm not sure how to hinder student access at the dos level)

We have a small school with only 35 computers.  Both students and teachers need access to the internet from one broadband connection.

Since we are not running any web or email servers out to the public internet, is it really necessary to buy a hardware firewall?  They are so expensive.  We just have a basic NAT broadband modem.

If we have two separate networks, then as far as I understand, we will need 2 servers instead of one, and a hardware firewall with 2 or 3 legs to separate the two networks whilst giving both access to the internet.  All of this is going to be much more expensive!!

What do you guys do in other SMALL schools???

I would really value some well informed advice on how to set it up, from those of you in the know.
Question by:Alistair7
    LVL 7

    Assisted Solution

    question is why do they believe 2 networks are better than  just 1.
    also it is possible to set 2 networks with 2 different ip schemes in the same room , its more work and
    depending on how you set it up , can either be sperated entirely until you hit your internet connection
    or   binded in a way where they coinside together which is a headache to work with.

    review your pro and cons

    1. cost value
    2. overall efficency
    3. cost of maintenance
    4. possible pros for seperation

    (although I'm not sure how to hinder student access at the dos level)
    1. bios password
    2. remove bios bootable options and boot to C: or os partition  , remove floppy and cd-rom option
    3. lock tower
    4. disable usb use
    5. use gpos to create a more restricted desktop , were all their allowed to do is run items from the
    startmenu and maybe save items to my docuements.
    6. remove the run command
    7. disallow cd-rom access , and startup options
    8. 1 month scan for virus ,malware , adaware
    9. try to hack yourself into the system with the security in place.
    10.a remove right click option
    11. audit "success" on  valuable data on your teachers systems. track pc.

    theirs more options but you get the idea.
    hopefully someone can give you better insight on seperation of student and teacher.

    Author Comment

    I guess my basic questions are:  

    Isn't a single 2003 domain, with one subnet, secure enough to stop secondary students gaining access to teacher computers.

    And do we really need an expensive hardware firewall when we have no web server or mail server? (I have used Zonealarm, Adaware, Winpatrol, etc..... )  But only Winpatrol is free for use in a school setting.
    LVL 11

    Expert Comment

    It is not necessary to have an expensive hardware firewall: use a cheap PC with two NICs and install Smoothwall on it. It is really simple to set up even if you don't know anything about Linux, free (and Open Source) and has a great documentation.
    LVL 11

    Assisted Solution

    You can also configure smoothwall to work as a proxy, which would be a benefit in a school to control access towards internet and to speed up many operations.
    As for your domain, I think you could simply disable login for the students on some machines, that will be used only by teachers, then protect shares (use subinacl.exe downloadable freely from Microsoft and maybe DumpAcl, also free, from to have a report of the permissions you already gave). Other than this, use sound group policies and you should be done.
    Hope it helps, Elbereth.
    LVL 26

    Accepted Solution

    You can easily use windows 2K3 using group level security add your students to 1 group (user permissions only) and your teachers to another group. Check that only the teachers group have access to their PC. You can check that on the security tabs of your folders. Just also remember your default shares if using Windows 2K on your desktops. In your default domain policy on your Active Directory, you can further secure your workstations by modifying the "Allow log on locally" option. To find your group policy in Active Directory, right-click the domain name, click properties, click Group Policy, click Edit. You should then enter a MMC console screen. Drill down as follows: Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights Assignment. Here you will find a whole host of options to restrict user logins and their security across the whole domain. Just checkout the help if you get stuck...Microsoft did some decent work on the help here.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now