Easily enable/disable web access on SBS2003 network

I'm re-configuring a small school network which is being connected to an ADSL Broadband connection for the first time, which has a number of XP clients and a SBS2003 server.

I've put a second network card in the server to connect to the router, which should allow me to use ISA server (which I must admit I have not used before).

There are two users defined - pupil and staff.

The requirements are:

* Email to be always available for all users
* Web access for the staff to be always available
* Web access for pupils to be easily enabled/disabled by staff, so
that it is only available when a staff member is supervising.

Email access is not currently but could be routed via Exchange.  I
realise that ISA server can have schedules set, and can restrict
access to sites and so on, but I'm not sure about the best way to
achieve the third requirement.

A brutal way - since only staff have physical access to the server - is to switch email usage to Exchange and then allow staff to turn on or off the ADSL router box.

As a more elegant approach, I was wondering about something like setting a GPO so that pupils have the SBS server configured as an http proxy while staff have no proxy, and then have a script for staff which turns on and off ISA server proxying.  

This would be easily defeated, but we are allowed to assume that pupils will not try to defeat restrictions (yeah, I was sceptical about that too, but that's what they told me).

While I think the above approaches are workable, I'm hoping there is are some better ways.

Any ideas or pointers?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

first of all, if your running exchange, you don't really want to be pulling out your network connection when there is no-one supervising, unless of course you only expect internal emails.

isa2004 is your friend here - install isa and then configure two users, pupil and staff as you say. These users can use an ADSI query to select individuals or groups of users, so you can distinguish against staff & pupil domain accounts.

then you need to create two policies for web access, one or the staff account, and one for the pupils. the staff account can be unrestricted, but you can impose content filters and the like for pupils, as well as time of day restriction policies that will prevent access at certain times.

if you want an 'on-off' switch, then create a third policy that overrides the default pupil policy, and enable/disable that as when access is required.  I think you could even script the enabling/disabling of the policies so teachers only have to click a shortcut to turn it on.

that way exchange gets to keep its connection to the web making your internet mail somewhat more reliable.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I agree with the network connections, there are cleaner ways to do this.

About defeating the proxy settings: I'd make sure that all traffic has to pass through ISA server. Don't allow transparent access to the web (preferably, don't even configure a default gateway for the public clients).

How do pupils authenticate? Do they use the same user account for the entire classroom? If they each have a user account, are they organized in Organizational Units in your AD? I'm assuming they have a single, common user account, and that you have two groups (Staff and Pupils) with the staff members already populated. The Staff user group can access the ISA server without a schedule.

DSMOD can be your friend, as well. (Group hug!! ;-)

My idea is this: add and remove the student user accounts to and from the Pupils user group as needed. Create a special OU for the Pupils user group. Delegate control to that OU to the Staff/Teachers user group, so that supervisors have permissions to change group membership.

Then use a DSMOD command (included in XP) to script adding users to groups. A staff member must run this. Then you'll have two shortcuts:

dsmod group "CN=Pupils,OU=InternetAccess,DC=mydomain,DC=ads" -addmbr "CN=Classroom3,OU=Users,OU=MySchool,DC=mydomain,DC=ads"

for adding a group, replace "-addmbr" with "-rmmbr" to remove the user from the group.

If each pupil has a user account of their own, use

dsquery user "OU=Pupils,OU=Users,OU=Myschool,DC=mydomain,DC=ads" | dsmod group "CN=Pupils,OU=Internetaccess,DC=mydomain,DC=ads" -addmbr

to add all user accounts in the Myschool/Users/Pupils OU to the group.

Hope this helps.

Nice idea...only problem is that the user who runs this must be a domain admin. If you can get over that problem i prefer your solution to mine! Also if somone can use AD U&C they can grant internet access to individual pupils when the have finished work or need the internet at other times for research!

thanks for the ideas
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

VSpikeAuthor Commented:
Currently all pupils log into a single user account ("Pupil") and staff log into a single account ("Staff").  This could be changed if required.  I like the suggestions, I'm looking forward to researching and trying them out.  Thanks for the interest!
Nickhills, fortunately this is not true. I've just tested this on a Windows XP domain member with a regular user account and all commands I mentioned above work. Remember you have to delegate the right "Modify the membership of a group" on the OU where the group resides. Administrator rights are not required.

The DSMOD, DSQUERY, etc. commands are available after you install ADMINPAK.MSI on the client. If you don't want all Administrative Tools available on the client, then you can also copy the DS*.EXE commands from the server (windows\system32 folder).
If you give every pupil a separate user account then you have more control, but this can be an administrative nightmare as well. Depends on the number of pupils and some other requirements, I guess.
Even better!
you just delegate Modify permissions to your teachers! (I re-read your first post and spotted that)

Interesting, that opens up all sorts of possibilities with DSMOD & DSQUERY, i might go and play :)
Thanks Rant32
VSpikeAuthor Commented:
Sorry for the delay.  It seem they gave me incorrect information - they said they had SBS Premium, but they do not, hence ISA server is not installed.

It can be added for around 500 UKP which is quite reasonable, and I will recommend that they do it as I think the flexibility it will give them will be worth it.

Just to check though, am I missing any good solutions here which don't involve ISA server?

Make sure to check out MS software offers for educational and academic institutions...

Here in the Netherlands, schools just pay a fixed fee per FTE and they can run about EVERY piece of software they want to (including Windows Server, Terminal Services, Exchange, ISA, Symantec/McAfee Antivirus, you name it)

VSpikeAuthor Commented:
Unfortunately, that includes the academic discount!
Ack. Well, then you'll probably get ISA 2004 which is even more flexible.

You should be able to convince them to purchase it, excellent proxy caching, user authentication, and ISA can really keep nasty stuff out the door (no executable downloads).

I have no other recommendation.
VSpikeAuthor Commented:
Thanks.  I will strongly recommend it then.  There may be a delay before I get to implement the suggested solution, but I will return to this question, don't worry.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.