Blocking internet access to non-domain member computers

Posted on 2006-04-03
Last Modified: 2013-12-04

I manage a small network and I noticed the following : as long as I plug any computer to our network, it gets an IP address from our DHCP server and can access the internet. I would like to limit internet access to computers which have domain accounts only.
I know one way would be to setup mac filtering but that would take a while and maintenance.
Is there a setting in Windows 2000 server DHCP which will do the job? Or a policy?

Question by:pascal_p
    LVL 4

    Expert Comment

    I dont know anything in dhcp that could be used for that.

    As you point out using HW address reservations is a management nightmare.

    Microsoft is mentioning using IPSEC so that only people in your domain can talk to you.

    Others (with newer network switches) are looking at 802.1x so that your computers authenticate to the network equipment before getting on the network.   that is kind of an involved project.

    And of course others have the philosophy, let them on but they must meet my policy they using products like Cisco NAC or Cleanaccess to do that.  
    LVL 4

    Accepted Solution

    nevermind, I was answering a question of my own making.  I'd say the easiest way to block internet access to unauthorized user is to have a password protected http proxy.
    LVL 1

    Expert Comment

    Change the security permissions on iexplore.exe to include only users you want to allow internet access via IE to run to.

    Author Comment

    I ll accept boywaja's response as the most practical. Second response requires you having access to a non-domain member computer. If someone off the street would plug into my network (over my dead body), they would have internet access and I could not necessarily change their internet options.
    It's surprising that micrisoft has not linked computer domain accounts and DHCP. Assuming network printers could be given network accounts.

    Thanks everyone.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now