Enabling and disabling Internet access on a per user basis

Posted on 2005-04-06
Last Modified: 2008-03-17
I need to know if I can enable or disable Internet surfing on a per-user base.

I have a W2000 Server with AD Domain and some W2000 Clients, who log in to the Domain. I log in as Administrator on the Clients, and the gateway (the server) and proxy (a linux box) are correctly set on each client so that I can download critical updates.

When users log in with their user accounts, I have to disable any Internet browsing. They are able to open the Internet Explorer 6, because HTML - files are shown this way, and then they can start surfing.

What do I have to configure to solve this ? Do I have to destroy the Internet connection settings each time I have logged in as Admin in order to load all patches ? Or can I configure something on the server ?
Question by:PC-Alex
    LVL 12

    Expert Comment


    You should be able to control this at the proxy.   I am assuming your users can get to the internet only through the proxy, and that the proxy is able to authenticate connections.  Just don't give your users any access to the internet through the proxy.  When you login to a workstation as an administrator, your proxy server should be able to identify you as an administrator and allow you to connect to the internet.

    Alternatively, you should be able to configure the proxy to allow your end-users to access *only* the Windows update site and let the updates happen automatically.

    LVL 1

    Expert Comment

    Hi PC-Alex,
    This process works very well for me
    You can get the gist of the process and modify it to your network
    I mean that all general things apply but there are references to my own network locations that will not apply to your network
    This process is invoked on the workstation level.
    It works for me because although I have 50 or so nodes on my network, only a few have to be restricted.

    Restricting Internet Access

    Quick Set-up:
    1.      Log in to the local machine as Admin.
    2.      Add the user to the local Admin group.
    3.      Copy noaccess.rat (\\ces-net\install\internet) to the local machine’s C:\winnt\system32
    4.      Double click the registry file that pertains to the department approved websites.
    5.      Log off as admin and test accessibility under the user.

    1.      Log on to the local workstation as Admin (Local or Network).
    2.      Go to: Start->Programs->Admin Tools->User Manager
    3.      Add the CES domain user that accesses this workstation to the local admin group. Close UM.
    4.      Make sure all applications are closed.

    Copy the text below and paste it into Notepad:
    ((PICS-version 1.0)
    (rating-system "")
    (rating-service "")
    (name "Noaccess")
    (description "This file will block all sites.")

    (transmit-as "m")
    (name "Yes")
    (name "Level 0:   No Setting")
    (description "No Setting")
    (value 0) )
    (name "Level 1:   No Setting")
    (description "No Setting")
    (value 1) ) ))
    Name this file noaccess.rat . Make sure that it is a normal ASCII text file.

    5.      Copy the noaccess.rat file to one of the following locations:
    Windows 2000 and Windows NT 4.0 = winnt\system32
    Windows 95 or 98 = windows\system
    6.      Merge the cesapprovedsites.reg located at \\ces-net\install\internet  
    7.      In Control Panel, double-click to open the Internet Options icon, and then click the Content tab.
    8.      Click Enable. Note: The password for the content advisor is the same as the system administrator’s, this was preset from the previous step.
    9.      If the Enable button is not visible, and you only see the Disable button, then Content Advisor is already enabled and you should stop now or risk losing all your existing settings. If you wish to continue, then click the Settings button in place of the Enable button.
    10.      On the General tab, click the Rating Systems button, and then remove all the existing rating systems entries.
    11.      Click Add, and then select the No access ratings system.
    12.      Click OK to close the Rating Systems window.
    13.      Click the General tab, and make sure that under User options, the setting Users can see sites that have no rating is not checked.
    14.      Click the Advanced tab. Under Ratings bureau, set the Ratings bureau list box to [None].
    15.      Log in as the user you are denying or restricting and test it out!

    When you want to do maintenence, use the admin password to disable content advisor.

    Good luck,
    LVL 1

    Author Comment


    the proxy is a linux box, I do not know if it can distinguish windows accounts from the incoming requests (I even think he can't)

    I also cannot restrict the sites because I have several reasons to must be able to get everywhere as administrator (e.g. driver download, webmailer, etc)
    LVL 12

    Expert Comment

    If I understand correctly, *you* need full internet access from these machines but the end-users should have *no* internet access.

    Your proxy must support authentication of *some* kind, even if it would use a Windows DC.   Setup a userid/password on the proxy and don't give it to any of the users.

    Alternatively, it may be possible to set up an Active Directory group policy that restricts users (and not administrators) to selected sites (like Windows Update).  This would be better because then the critical updates could be automatic.  However, I'm not sure this how this can be done....what I've read so far is not encouraging.

    LVL 6

    Accepted Solution

    You can use Group Policy to set their proxy server to a random number, then disalow changing that setting.  Thus, effectively, they won't have Internet access, but will still be able to view html documents on the local computer.  Only apply the GP to the Users group.

    The GP settings to change are:
    For the fake Proxy Server:
    User Configuration -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings

    Dissalow changing that setting:
    User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Disable changing proxy settings

    LVL 1

    Author Comment

    Thanks everyone for the comments so far.

    Today I will test salvagbf ' s advice, because we use GPOs anyway and this seems the easiest way to get going.

    I will tell tomorrow if it worked.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now