Restricting Internet Access

Before I describe my problem, some background:
I have setup a network for a small non-profit organisation.  The clients, a SBS2003 server and an integrated ADSL modem/router are all connected back to a 16 port hub.  Currently, as soon as I plug in a computer, NAT kicks in and the Internet is connected.  Due to the non-profit nature of the organisation money is not plentiful.

I want to connect one of the clients (a Windows XP Pro computer) to the network so that it can join the domain and access files from the server; however, because the client computer is in a public area, I want to stop it accessing the Internet.

I need to prevent Internet access with minimum cost, but also maximum security.  Some of the people who will have access to the files from the XP computer are very computer literate and not very trustworthy.

Any suggestions?  I am interested in both hardware and software solutions, but as already mentioned, costs must be small or the solution will not be workable.
Who is Participating?
If you've got 2 NICs in the server, you can acheive what you want by simply disconnecting the client that you want to restrict Internet access on from the switch and connecting it directly to the 2nd NIC in the server via a crossover cable.  Set the IP address on the server's 2nd NIC to a private IP space different from what your LAN is using, say mask  Set the IP address of the restricted machine to, mask, default gateway

You shouldn't have to mess with any settings on your DHCP server or the rest of your LAN.  Unless you set up routing on your SBS server, the restricted machine will only be able to get to the server, period.  No need to mess with GPOs.
Depending on the ADSL modem/router that you have, you may already have the tools necessary to filter specific internal hosts from getting internet access. Most consumer models have this feature built right in.
That will prevent Internet access/abuse. Use proper username/logins to the computer and proper file restrictions on the file server. Just be sure that the Guest account is disabled on the server, and that no user account on this PC is in the Administrator group, rename the Administrator account to something only you will know, create a "new" account called Administrator, then disable it.
Log in as administrator and create a limited account for the people to use.  Make sure the account does not have access (local policy) to change the TCP/IP settings.  Then take out the default gateway from the TCP/IP settings.

Free and you will get the results you are looking for.  
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

You could also you group policy on the SBS2003 server to limit internet access.  This is pretty secure and already available on that server.  Just make sure that machine is joined to the domain and you can control almost every setting that the user has when they log in.
AlanKingsleyAuthor Commented:
I knew that I could restrict Internet access if the Internet was provided via the SBS2003 server (using a second NIC in the server), but I did not realise it was possible to restrict access from Group Policy for things that are not directly under control of the domain.  So, if I understand correcty, this must enforce group policy settings on the client stopping it requesting access to the Internet, even though the SBS2003 server cannot directly block the Internet by controlling the router?

Could you explain how to enforce this in the manner you are suggesting through Group Policy?
AlanKingsleyAuthor Commented:
I had a looked at the settings on the ADSL router, but the internal host filtering proposed by lrmoore was a little too confusing for me.  The creators of the router speak a variety of English I have not yet come across.

I will use Zoidling's solution when I have the time.  I will accept his answer now, but I will not have time to test the solution for several months.  The cost of a second NIC is less than AUD$15 which is quite acceptable in terms of cost.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.