Group policy question

We have a Windows 2003 network and we would like to setup a group policy for three specific Active Directory accounts, not to be able to access the Internet.  What is the path, quickest and easist method to setup a group policy to block these three accounts from accessing the Internet?  Any assistance offered would be greatly appreciated.  
regsampAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

regsampAuthor Commented:
The link was okay but I know there is a way to block Interent Access to an Active Directory account and if we could get that path in the Group Policy editor then we would be all set.  
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

regsampAuthor Commented:
The second link is not really viable for our situation.  A group policy that would prevent four specific users from getting to the Interent would be the ideal solution as we are going to be upgrading our firewall/router/proxy very soon.  
0
JoeCommented:
Thats is a GPO setting

User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings

You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.

then place the 4 users in the OU you want this applied. And set it to 127.0.0.1
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
conradieCommented:
You may also want to check out the "MACHINE POLICY/Administrative Templates\System\Internet Communication Management | Restrict Internet communication" GPO Object, and read this article about it: http://www.gpanswers.com/community/viewtopic.php?p=2351&sid=7b46a94fd29bf9fe91a840ad62bd4c42

Seems like it may accomplish exactly what you need.

 
0
stevew1Commented:
Create an OU, put the users you want to restrict in this OU. Then create a group policy "User Configuration\Windows Settings\Software restrictions\  click on action and create a new software restriction policy. Under Additional Rules create a new hash rule to disallow iexplore.exe
0
stevew1Commented:
Actually you can disregard my comment above. It seems this works in reverse of what I thought. If you set the default security to disallowed it will disallow every program. You would have to create rules for the programs you wanted to allow, Might work if you only wanted to allow a few programs.
0
regsampAuthor Commented:
"Thats is a GPO setting

User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings

You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.

then place the 4 users in the OU you want this applied. And set it to 127.0.0.1"

This seems like it may work and just want to make sure I have this right, 1.  Active Directory Users and Computers, 2.  Properties/Group Policy, 3.  Add settings above and how are just the 4 users being added so that nobody else is affected?  
0
regsampAuthor Commented:
Disregard the above.  I need to create an OU and add the above settings and then add the users to it as the other method would add it, correct?  
0
JoeCommented:
what you could do is make a new OU add your 4 users change those settings and you could block policy inheritance on that OU if you wanted to.
0
IdeasUnknownSystem AdministratorCommented:
If you are using GPMC 1.0.2 (Group Policy Management Console 1.0.2) which you should be if you are using Windows Server 2003 you can add a new GPO at the Domain Level as such.

1. Login to a/the Domain Controller.
2. Start -> Run
3. In the "Open" box type "gpmc.msc" (without the quotes) and press the "OK" button.
4. Right click your domain container.
5. Select "Create and Link a GPO here...".
6. In the "Name" box type a descriptive name, such as "Blocked Internet Custom Instructions", and press the "OK" button.
7. Find and select the new GPO in the left pane under your domain container.
8. In the middle pane on the right side labeled "Security Filtering" remove the default groupings and users and add the Active Directory account names (3) that you want blocked from the internet.
9. Right click the new GPO in the left pane and select "Edit" from the menu.
10. Please see regsamp's post above for the correct hierarchy for the settings you want and need.
11. Sit back and enjoy being a bad ass network administrator.

Hope that helps!
0
regsampAuthor Commented:
I created a new OU, added the 4 users and changed the settings to
User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings
You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.
And set it to 127.0.0.1.  Blocked policy inheritance on that OU and it is working great, Thank you.  
0
JoeCommented:
Glad to have helped :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.