Restricting Internet Access

Posted on 2005-04-25
Last Modified: 2010-03-17
Before I describe my problem, some background:
I have setup a network for a small non-profit organisation.  The clients, a SBS2003 server and an integrated ADSL modem/router are all connected back to a 16 port hub.  Currently, as soon as I plug in a computer, NAT kicks in and the Internet is connected.  Due to the non-profit nature of the organisation money is not plentiful.

I want to connect one of the clients (a Windows XP Pro computer) to the network so that it can join the domain and access files from the server; however, because the client computer is in a public area, I want to stop it accessing the Internet.

I need to prevent Internet access with minimum cost, but also maximum security.  Some of the people who will have access to the files from the XP computer are very computer literate and not very trustworthy.

Any suggestions?  I am interested in both hardware and software solutions, but as already mentioned, costs must be small or the solution will not be workable.
Question by:AlanKingsley
    LVL 79

    Expert Comment

    Depending on the ADSL modem/router that you have, you may already have the tools necessary to filter specific internal hosts from getting internet access. Most consumer models have this feature built right in.
    That will prevent Internet access/abuse. Use proper username/logins to the computer and proper file restrictions on the file server. Just be sure that the Guest account is disabled on the server, and that no user account on this PC is in the Administrator group, rename the Administrator account to something only you will know, create a "new" account called Administrator, then disable it.
    LVL 23

    Expert Comment

    Log in as administrator and create a limited account for the people to use.  Make sure the account does not have access (local policy) to change the TCP/IP settings.  Then take out the default gateway from the TCP/IP settings.

    Free and you will get the results you are looking for.  
    LVL 9

    Expert Comment

    You could also you group policy on the SBS2003 server to limit internet access.  This is pretty secure and already available on that server.  Just make sure that machine is joined to the domain and you can control almost every setting that the user has when they log in.
    LVL 3

    Author Comment

    I knew that I could restrict Internet access if the Internet was provided via the SBS2003 server (using a second NIC in the server), but I did not realise it was possible to restrict access from Group Policy for things that are not directly under control of the domain.  So, if I understand correcty, this must enforce group policy settings on the client stopping it requesting access to the Internet, even though the SBS2003 server cannot directly block the Internet by controlling the router?

    Could you explain how to enforce this in the manner you are suggesting through Group Policy?
    LVL 5

    Accepted Solution

    If you've got 2 NICs in the server, you can acheive what you want by simply disconnecting the client that you want to restrict Internet access on from the switch and connecting it directly to the 2nd NIC in the server via a crossover cable.  Set the IP address on the server's 2nd NIC to a private IP space different from what your LAN is using, say mask  Set the IP address of the restricted machine to, mask, default gateway

    You shouldn't have to mess with any settings on your DHCP server or the rest of your LAN.  Unless you set up routing on your SBS server, the restricted machine will only be able to get to the server, period.  No need to mess with GPOs.
    LVL 3

    Author Comment

    I had a looked at the settings on the ADSL router, but the internal host filtering proposed by lrmoore was a little too confusing for me.  The creators of the router speak a variety of English I have not yet come across.

    I will use Zoidling's solution when I have the time.  I will accept his answer now, but I will not have time to test the solution for several months.  The cost of a second NIC is less than AUD$15 which is quite acceptable in terms of cost.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Suggested Solutions

        Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
    Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now