Restricting Internet Access

Posted on 2005-04-25
Medium Priority
Last Modified: 2010-03-17
Before I describe my problem, some background:
I have setup a network for a small non-profit organisation.  The clients, a SBS2003 server and an integrated ADSL modem/router are all connected back to a 16 port hub.  Currently, as soon as I plug in a computer, NAT kicks in and the Internet is connected.  Due to the non-profit nature of the organisation money is not plentiful.

I want to connect one of the clients (a Windows XP Pro computer) to the network so that it can join the domain and access files from the server; however, because the client computer is in a public area, I want to stop it accessing the Internet.

I need to prevent Internet access with minimum cost, but also maximum security.  Some of the people who will have access to the files from the XP computer are very computer literate and not very trustworthy.

Any suggestions?  I am interested in both hardware and software solutions, but as already mentioned, costs must be small or the solution will not be workable.
Question by:AlanKingsley
LVL 79

Expert Comment

ID: 13858411
Depending on the ADSL modem/router that you have, you may already have the tools necessary to filter specific internal hosts from getting internet access. Most consumer models have this feature built right in.
That will prevent Internet access/abuse. Use proper username/logins to the computer and proper file restrictions on the file server. Just be sure that the Guest account is disabled on the server, and that no user account on this PC is in the Administrator group, rename the Administrator account to something only you will know, create a "new" account called Administrator, then disable it.
LVL 23

Expert Comment

ID: 13859109
Log in as administrator and create a limited account for the people to use.  Make sure the account does not have access (local policy) to change the TCP/IP settings.  Then take out the default gateway from the TCP/IP settings.

Free and you will get the results you are looking for.  

Expert Comment

ID: 13887089
You could also you group policy on the SBS2003 server to limit internet access.  This is pretty secure and already available on that server.  Just make sure that machine is joined to the domain and you can control almost every setting that the user has when they log in.
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.


Author Comment

ID: 13892486
I knew that I could restrict Internet access if the Internet was provided via the SBS2003 server (using a second NIC in the server), but I did not realise it was possible to restrict access from Group Policy for things that are not directly under control of the domain.  So, if I understand correcty, this must enforce group policy settings on the client stopping it requesting access to the Internet, even though the SBS2003 server cannot directly block the Internet by controlling the router?

Could you explain how to enforce this in the manner you are suggesting through Group Policy?

Accepted Solution

Zoidling earned 2000 total points
ID: 13923600
If you've got 2 NICs in the server, you can acheive what you want by simply disconnecting the client that you want to restrict Internet access on from the switch and connecting it directly to the 2nd NIC in the server via a crossover cable.  Set the IP address on the server's 2nd NIC to a private IP space different from what your LAN is using, say mask  Set the IP address of the restricted machine to, mask, default gateway

You shouldn't have to mess with any settings on your DHCP server or the rest of your LAN.  Unless you set up routing on your SBS server, the restricted machine will only be able to get to the server, period.  No need to mess with GPOs.

Author Comment

ID: 14042354
I had a looked at the settings on the ADSL router, but the internal host filtering proposed by lrmoore was a little too confusing for me.  The creators of the router speak a variety of English I have not yet come across.

I will use Zoidling's solution when I have the time.  I will accept his answer now, but I will not have time to test the solution for several months.  The cost of a second NIC is less than AUD$15 which is quite acceptable in terms of cost.

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question