PC-Alex
asked on
Enabling and disabling Internet access on a per user basis
I need to know if I can enable or disable Internet surfing on a per-user base.
I have a W2000 Server with AD Domain and some W2000 Clients, who log in to the Domain. I log in as Administrator on the Clients, and the gateway (the server) and proxy (a linux box) are correctly set on each client so that I can download critical updates.
When users log in with their user accounts, I have to disable any Internet browsing. They are able to open the Internet Explorer 6, because HTML - files are shown this way, and then they can start surfing.
What do I have to configure to solve this ? Do I have to destroy the Internet connection settings each time I have logged in as Admin in order to load all patches ? Or can I configure something on the server ?
I have a W2000 Server with AD Domain and some W2000 Clients, who log in to the Domain. I log in as Administrator on the Clients, and the gateway (the server) and proxy (a linux box) are correctly set on each client so that I can download critical updates.
When users log in with their user accounts, I have to disable any Internet browsing. They are able to open the Internet Explorer 6, because HTML - files are shown this way, and then they can start surfing.
What do I have to configure to solve this ? Do I have to destroy the Internet connection settings each time I have logged in as Admin in order to load all patches ? Or can I configure something on the server ?
Hi PC-Alex,
This process works very well for me
You can get the gist of the process and modify it to your network
I mean that all general things apply but there are references to my own network locations that will not apply to your network
This process is invoked on the workstation level.
It works for me because although I have 50 or so nodes on my network, only a few have to be restricted.
Restricting Internet Access
Quick Set-up:
1. Log in to the local machine as Admin.
2. Add the user to the local Admin group.
3. Copy noaccess.rat (\\ces-net\install\interne
4. Double click the registry file that pertains to the department approved websites.
5. Log off as admin and test accessibility under the user.
Steps:
1. Log on to the local workstation as Admin (Local or Network).
2. Go to: Start->Programs->Admin Tools->User Manager
3. Add the CES domain user that accesses this workstation to the local admin group. Close UM.
4. Make sure all applications are closed.
Copy the text below and paste it into Notepad:
((PICS-version 1.0)
(rating-system "http://www.microsoft.com")
(rating-service "http://www.microsoft.com")
(name "Noaccess")
(description "This file will block all sites.")
(category
(transmit-as "m")
(name "Yes")
(label
(name "Level 0: No Setting")
(description "No Setting")
(value 0) )
(label
(name "Level 1: No Setting")
(description "No Setting")
(value 1) ) ))
Name this file noaccess.rat . Make sure that it is a normal ASCII text file.
5. Copy the noaccess.rat file to one of the following locations:
Windows 2000 and Windows NT 4.0 = winnt\system32
Windows 95 or 98 = windows\system
6. Merge the cesapprovedsites.reg located at \\ces-net\install\internet
7. In Control Panel, double-click to open the Internet Options icon, and then click the Content tab.
8. Click Enable. Note: The password for the content advisor is the same as the system administrator’s, this was preset from the previous step.
9. If the Enable button is not visible, and you only see the Disable button, then Content Advisor is already enabled and you should stop now or risk losing all your existing settings. If you wish to continue, then click the Settings button in place of the Enable button.
10. On the General tab, click the Rating Systems button, and then remove all the existing rating systems entries.
11. Click Add, and then select the No access ratings system.
12. Click OK to close the Rating Systems window.
13. Click the General tab, and make sure that under User options, the setting Users can see sites that have no rating is not checked.
14. Click the Advanced tab. Under Ratings bureau, set the Ratings bureau list box to [None].
15. Log in as the user you are denying or restricting and test it out!
When you want to do maintenence, use the admin password to disable content advisor.
Good luck,
Mike
This process works very well for me
You can get the gist of the process and modify it to your network
I mean that all general things apply but there are references to my own network locations that will not apply to your network
This process is invoked on the workstation level.
It works for me because although I have 50 or so nodes on my network, only a few have to be restricted.
Restricting Internet Access
Quick Set-up:
1. Log in to the local machine as Admin.
2. Add the user to the local Admin group.
3. Copy noaccess.rat (\\ces-net\install\interne
4. Double click the registry file that pertains to the department approved websites.
5. Log off as admin and test accessibility under the user.
Steps:
1. Log on to the local workstation as Admin (Local or Network).
2. Go to: Start->Programs->Admin Tools->User Manager
3. Add the CES domain user that accesses this workstation to the local admin group. Close UM.
4. Make sure all applications are closed.
Copy the text below and paste it into Notepad:
((PICS-version 1.0)
(rating-system "http://www.microsoft.com")
(rating-service "http://www.microsoft.com")
(name "Noaccess")
(description "This file will block all sites.")
(category
(transmit-as "m")
(name "Yes")
(label
(name "Level 0: No Setting")
(description "No Setting")
(value 0) )
(label
(name "Level 1: No Setting")
(description "No Setting")
(value 1) ) ))
Name this file noaccess.rat . Make sure that it is a normal ASCII text file.
5. Copy the noaccess.rat file to one of the following locations:
Windows 2000 and Windows NT 4.0 = winnt\system32
Windows 95 or 98 = windows\system
6. Merge the cesapprovedsites.reg located at \\ces-net\install\internet
7. In Control Panel, double-click to open the Internet Options icon, and then click the Content tab.
8. Click Enable. Note: The password for the content advisor is the same as the system administrator’s, this was preset from the previous step.
9. If the Enable button is not visible, and you only see the Disable button, then Content Advisor is already enabled and you should stop now or risk losing all your existing settings. If you wish to continue, then click the Settings button in place of the Enable button.
10. On the General tab, click the Rating Systems button, and then remove all the existing rating systems entries.
11. Click Add, and then select the No access ratings system.
12. Click OK to close the Rating Systems window.
13. Click the General tab, and make sure that under User options, the setting Users can see sites that have no rating is not checked.
14. Click the Advanced tab. Under Ratings bureau, set the Ratings bureau list box to [None].
15. Log in as the user you are denying or restricting and test it out!
When you want to do maintenence, use the admin password to disable content advisor.
Good luck,
Mike
ASKER
Carlo,
the proxy is a linux box, I do not know if it can distinguish windows accounts from the incoming requests (I even think he can't)
I also cannot restrict the sites because I have several reasons to must be able to get everywhere as administrator (e.g. driver download, webmailer, etc)
the proxy is a linux box, I do not know if it can distinguish windows accounts from the incoming requests (I even think he can't)
I also cannot restrict the sites because I have several reasons to must be able to get everywhere as administrator (e.g. driver download, webmailer, etc)
If I understand correctly, *you* need full internet access from these machines but the end-users should have *no* internet access.
Your proxy must support authentication of *some* kind, even if it would use a Windows DC. Setup a userid/password on the proxy and don't give it to any of the users.
Alternatively, it may be possible to set up an Active Directory group policy that restricts users (and not administrators) to selected sites (like Windows Update). This would be better because then the critical updates could be automatic. However, I'm not sure this how this can be done....what I've read so far is not encouraging.
Your proxy must support authentication of *some* kind, even if it would use a Windows DC. Setup a userid/password on the proxy and don't give it to any of the users.
Alternatively, it may be possible to set up an Active Directory group policy that restricts users (and not administrators) to selected sites (like Windows Update). This would be better because then the critical updates could be automatic. However, I'm not sure this how this can be done....what I've read so far is not encouraging.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks everyone for the comments so far.
Today I will test salvagbf ' s advice, because we use GPOs anyway and this seems the easiest way to get going.
I will tell tomorrow if it worked.
Today I will test salvagbf ' s advice, because we use GPOs anyway and this seems the easiest way to get going.
I will tell tomorrow if it worked.
You should be able to control this at the proxy. I am assuming your users can get to the internet only through the proxy, and that the proxy is able to authenticate connections. Just don't give your users any access to the internet through the proxy. When you login to a workstation as an administrator, your proxy server should be able to identify you as an administrator and allow you to connect to the internet.
Alternatively, you should be able to configure the proxy to allow your end-users to access *only* the Windows update site and let the updates happen automatically.