Link to home
Start Free TrialLog in
Avatar of unisupport
unisupport

asked on

How to block terminal server clients from using the internet

I am using Windows 2003 Server R2 as a primary domain controller and a terminal server I need to know how to block cretin clients from the internet while letting others connect
ASKER CERTIFIED SOLUTION
Avatar of budchawla
budchawla
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of McKnife
We have another approach in use in our company: Use an ident daemon like http://grack.com/programming/misc/Identd.html that submits a user id to the proxy server. On the proxy server (linux) we have squid that only allows certain users to connect from certain IP adresses. There is no circumventing for the users. They could not even bring there own portable browsers :)
Avatar of unisupport
unisupport

ASKER

budchawla, I have been investigating these methods which were somewhat different in sever 2000 which was the OS I replaced with the new server 2003. Could you explain in detail which GPO's need to be modified as I have made the changes to what seems to be the necessary ones with no luck.
Do you want to apply the policy to all users who log into that server, or only certain users?
Its a group of thin clients that different users share so I would need to control access based on user credentials, so someone that is allowed internet acces is granted it where ever they log in and some one who is not allowed will be denied where ever they log in.
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx will give you a lot of useful pointers, but to address your exact requirement:
Put your "cretin" users into an OU and assign it a GPO with the following setting:
User Config\Administrative Templates\System\Don't run specified Windows applications.... and enable that for iexplore.exe. That's the most basic and probably effective method.

If for some reason you have other browsers installed, then add those to the list.

Note: this will not cut off all internet-based comms, just browser-based access to the web.