blocking internet access to one specific user on windows 2000 / ie 6

I have a need to block "one" specific user from ALL internet access and still allow all other users to make the connection.

it's been a long time since I have had to do this, can someone bring me back up to speed, please?

the o/s is windows 2000 professional

the browser is internet explorer version 6.1 plus whatever the latest patches are.

the user is just that "a basic user", not an admin or power user.

thanks, rich
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

a few different ways...
Here's one.
on his computer open internet explorer -->tools -->internet options -->connections --> lan settings -->check use proxy ....then just type in a bogus address.
or do the same for his default gateway.

Do you have any firewalls/routers? some have the capability to block specific IP addresses.

Hope this helps
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Rich RumbleSecurity SamuraiCommented:
A group policy would be best for this situation, a fake proxy could suffice, however that is likely to block the user from INTRAnet access as well. You may want to look at setting up an IPSEC filter policy for that user. Not all browser's obey the proxy setting, IE will if you use a GP to set it, but firefox, and opera can be changed to ignore or not use proxy settings, even for a non-admin. A crafty user will not install FireFox, or Opera, but bring in a CD with the program files on it, or a USB stick with the program files folder, containing Opera and or FireFox. Using an IPSEC filter will make sure that no matter what browser or settings he/she has, they won't get past the filter.
Applys to win2k also:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If you would like the user to be able to access the intranet, just make sure the 'bypass proxy for local addresses' is checked on the lan connection tab. I have done this to a few computers on my network and it works good.  
or block port 80 & 443 from that users workstation during work hours
Make sure the user doesnt have the rights to change his own network settings and create a rule for him in your dhcp server without giving him a default gateway. For example in a 2000 server u could ad a dhcp reservation for the mac address of his networkcard without the gateway option.

Good luck.
Perhaps I am the only one here that doesn't clearly understand the question. Are you trying to block internet access to one particular workstation on your network or are you trying to block one particular local user on a workstation from browsing the internet while he/she is logged in, but allow other users that log in to the workstation to accesss the internet? In the first case some of the solutions above would work well (ie IPSec filters, firewall, etc). In the second case a lot of these solutions will not work because they will also cut off access to legitimate users.

If you are using a single workstation it might be pretty difficult to achieve this without some third party tools. If your workstation is a member of a domain you should be able to specify IPsec filters to use for this user so that they will be applied on any machine the user logs in. The best solution I can see at the moment involves some coding. Create a Windows Service that will run as Local System and have the privilege to modify any settings and put a timer to check every couple of minutes which user is currently logged in. If the user in question is logged in you can apply an IPsec filter, disable the network card, change the gateway, etc, and then undo these changes when another user is logged in. This will allow you to modify settings that require more permission that the user has (which also will prevent the user from changing these settings manually). It will require a little bit of coding however.


Cosmin Stejerean
bigrickyAuthor Commented:
to clarify my question... sorry if I wasn't clear enough originally.

I want to block just "one" specific user from accessing the internet.

we could take this a step further and say that "only the administrator" can have access to the internet.

meaning no one other than the administrator should have internet access.

I can only perform this block at the workstation level and NOT at the router or dhcp server.
Rich RumbleSecurity SamuraiCommented:
You can apply a group policy to that users account, and no matter what workstation they sign on to in your LAN, they will have this restriction. You can use the proxy settings mentioned above, or my IPSEC filter suggestions with ease.
If the user is logging into other workstations or other are logging into the same workstation, then yes a Group Policy would work the best. Thanks for clarifying cosmin and bigricky.

 I would follow richrumbles link above in this case.
bigrickyAuthor Commented:
thank you all
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.