Enabling and disabling Internet access on a per user basis

Posted on 2005-04-06
Medium Priority
Last Modified: 2008-03-17
I need to know if I can enable or disable Internet surfing on a per-user base.

I have a W2000 Server with AD Domain and some W2000 Clients, who log in to the Domain. I log in as Administrator on the Clients, and the gateway (the server) and proxy (a linux box) are correctly set on each client so that I can download critical updates.

When users log in with their user accounts, I have to disable any Internet browsing. They are able to open the Internet Explorer 6, because HTML - files are shown this way, and then they can start surfing.

What do I have to configure to solve this ? Do I have to destroy the Internet connection settings each time I have logged in as Admin in order to load all patches ? Or can I configure something on the server ?
Question by:PC-Alex
LVL 12

Expert Comment

ID: 13718401

You should be able to control this at the proxy.   I am assuming your users can get to the internet only through the proxy, and that the proxy is able to authenticate connections.  Just don't give your users any access to the internet through the proxy.  When you login to a workstation as an administrator, your proxy server should be able to identify you as an administrator and allow you to connect to the internet.

Alternatively, you should be able to configure the proxy to allow your end-users to access *only* the Windows update site and let the updates happen automatically.


Expert Comment

ID: 13718879
Hi PC-Alex,
This process works very well for me
You can get the gist of the process and modify it to your network
I mean that all general things apply but there are references to my own network locations that will not apply to your network
This process is invoked on the workstation level.
It works for me because although I have 50 or so nodes on my network, only a few have to be restricted.

Restricting Internet Access

Quick Set-up:
1.      Log in to the local machine as Admin.
2.      Add the user to the local Admin group.
3.      Copy noaccess.rat (\\ces-net\install\internet) to the local machine’s C:\winnt\system32
4.      Double click the registry file that pertains to the department approved websites.
5.      Log off as admin and test accessibility under the user.

1.      Log on to the local workstation as Admin (Local or Network).
2.      Go to: Start->Programs->Admin Tools->User Manager
3.      Add the CES domain user that accesses this workstation to the local admin group. Close UM.
4.      Make sure all applications are closed.

Copy the text below and paste it into Notepad:
((PICS-version 1.0)
(rating-system "http://www.microsoft.com")
(rating-service "http://www.microsoft.com")
(name "Noaccess")
(description "This file will block all sites.")

(transmit-as "m")
(name "Yes")
(name "Level 0:   No Setting")
(description "No Setting")
(value 0) )
(name "Level 1:   No Setting")
(description "No Setting")
(value 1) ) ))
Name this file noaccess.rat . Make sure that it is a normal ASCII text file.

5.      Copy the noaccess.rat file to one of the following locations:
Windows 2000 and Windows NT 4.0 = winnt\system32
Windows 95 or 98 = windows\system
6.      Merge the cesapprovedsites.reg located at \\ces-net\install\internet  
7.      In Control Panel, double-click to open the Internet Options icon, and then click the Content tab.
8.      Click Enable. Note: The password for the content advisor is the same as the system administrator’s, this was preset from the previous step.
9.      If the Enable button is not visible, and you only see the Disable button, then Content Advisor is already enabled and you should stop now or risk losing all your existing settings. If you wish to continue, then click the Settings button in place of the Enable button.
10.      On the General tab, click the Rating Systems button, and then remove all the existing rating systems entries.
11.      Click Add, and then select the No access ratings system.
12.      Click OK to close the Rating Systems window.
13.      Click the General tab, and make sure that under User options, the setting Users can see sites that have no rating is not checked.
14.      Click the Advanced tab. Under Ratings bureau, set the Ratings bureau list box to [None].
15.      Log in as the user you are denying or restricting and test it out!

When you want to do maintenence, use the admin password to disable content advisor.

Good luck,

Author Comment

ID: 13718882

the proxy is a linux box, I do not know if it can distinguish windows accounts from the incoming requests (I even think he can't)

I also cannot restrict the sites because I have several reasons to must be able to get everywhere as administrator (e.g. driver download, webmailer, etc)
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

LVL 12

Expert Comment

ID: 13719617
If I understand correctly, *you* need full internet access from these machines but the end-users should have *no* internet access.

Your proxy must support authentication of *some* kind, even if it would use a Windows DC.   Setup a userid/password on the proxy and don't give it to any of the users.

Alternatively, it may be possible to set up an Active Directory group policy that restricts users (and not administrators) to selected sites (like Windows Update).  This would be better because then the critical updates could be automatic.  However, I'm not sure this how this can be done....what I've read so far is not encouraging.


Accepted Solution

salvagbf earned 500 total points
ID: 13719885
You can use Group Policy to set their proxy server to a random number, then disalow changing that setting.  Thus, effectively, they won't have Internet access, but will still be able to view html documents on the local computer.  Only apply the GP to the Users group.

The GP settings to change are:
For the fake Proxy Server:
User Configuration -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings

Dissalow changing that setting:
User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Disable changing proxy settings


Author Comment

ID: 13733402
Thanks everyone for the comments so far.

Today I will test salvagbf ' s advice, because we use GPOs anyway and this seems the easiest way to get going.

I will tell tomorrow if it worked.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This holiday season, we’re giving away the gift of knowledge—tech knowledge, that is. Keep reading to see what hacks, tips, and trends we have wrapped and waiting for you under the tree.
Screencast - Getting to Know the Pipeline
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month14 days, 1 hour left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question