pascal_p
asked on
Blocking internet access to non-domain member computers
Hi,
I manage a small network and I noticed the following : as long as I plug any computer to our network, it gets an IP address from our DHCP server and can access the internet. I would like to limit internet access to computers which have domain accounts only.
I know one way would be to setup mac filtering but that would take a while and maintenance.
Is there a setting in Windows 2000 server DHCP which will do the job? Or a policy?
Thanks
I manage a small network and I noticed the following : as long as I plug any computer to our network, it gets an IP address from our DHCP server and can access the internet. I would like to limit internet access to computers which have domain accounts only.
I know one way would be to setup mac filtering but that would take a while and maintenance.
Is there a setting in Windows 2000 server DHCP which will do the job? Or a policy?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Change the security permissions on iexplore.exe to include only users you want to allow internet access via IE to run to.
ASKER
I ll accept boywaja's response as the most practical. Second response requires you having access to a non-domain member computer. If someone off the street would plug into my network (over my dead body), they would have internet access and I could not necessarily change their internet options.
It's surprising that micrisoft has not linked computer domain accounts and DHCP. Assuming network printers could be given network accounts.
Thanks everyone.
It's surprising that micrisoft has not linked computer domain accounts and DHCP. Assuming network printers could be given network accounts.
Thanks everyone.
As you point out using HW address reservations is a management nightmare.
Microsoft is mentioning using IPSEC so that only people in your domain can talk to you.
http://www.microsoft.com/downloads/info.aspx?na=22&p=18&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d156c73a1-f9c2-41c7-b5c1-a509fb255447%26DisplayLang%3den
Others (with newer network switches) are looking at 802.1x so that your computers authenticate to the network equipment before getting on the network. that is kind of an involved project.
And of course others have the philosophy, let them on but they must meet my policy they using products like Cisco NAC or Cleanaccess to do that.