• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1008
  • Last Modified:

Looking for a gpo that can prevent Internet access by port and not through IE restriction

Looking for a good way to prevent some users from having internet access through group policy.  

Thanks in advance!
John Gates, CISSP
John Gates, CISSP
1 Solution
This is tough because a lot of internal resources may use port 80 as well as internet web sites...

You can try to create a GPO to govern the client Windows firewall.  Block port 80 both ways...

You can try to create an IPSEC rule using GPO to require IPSEC when using port 80.

Although, I don't think these are good solutions...  better off using a proxy..  Most firewalls now have built in proxies...
John Gates, CISSPSecurity ProfessionalAuthor Commented:
Hmm..  I don't care about bloking port 80 even internally...  My other thought is giving the client an incorrect gateway....  However that gateway would need to revert when other people logged into the machine...  I will wait to see what ideas others come up with...  A proxy would only help if there was no alternate gateway I am going to need to figure out a "Proxyless" way to accomplish this..  

found this link. yet didnt test it :


Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

John Gates, CISSPSecurity ProfessionalAuthor Commented:
That solution is Internet explorer centric.  The problem I have is people using other browsers and proxy programs to bypass it.
What firewall are you using?  This will be problematic and troublesome to manage doing it at the desktop.  Much better if your firewall has some type of user or group membership rules....?  Would need to find out what kind of firewall your using first.

You could use group policies to create a block on port 80 but that would get troublesome overtime also....much better to manage at on point ->firewall
John Gates, CISSPSecurity ProfessionalAuthor Commented:
The firewall is not going to work in this case.  It is a SonicWALL and it is a POS.  Has to be done with GPO and has to be done at the machine.
Well given that criteria to work with, you could use the windows xp firewall w/group policies-

Create an OU, move users into the OU that you want to block the port, link a group policy with the following:

computer configuration//admin templates//network//network connections//windows firewall//define port exceptions

configure port 80 to only receive traffic from your intranet - (or a bogus entry)

80:TCP: service
443:TCP: service

In order for this to work you would also have to *disable* these:

Windows Firewall: Allow local port exceptions
Windows Firewall: Allow local program exceptions

And *enable* these:
Windows Firewall: Protect all network connections

This can have some undesired affects, so be very careful about where you link this GPO...
John Gates, CISSPSecurity ProfessionalAuthor Commented:
FIrewall is disabled domain wide.  I was thinking maybe this can be done with an IPsec policy..  Still looking into it.
reply ahhh, then this is what your looking for:

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now