How to block terminal server clients from using the internet

I am using Windows 2003 Server R2 as a primary domain controller and a terminal server I need to know how to block cretin clients from the internet while letting others connect
Who is Participating?
I assume you want to do this via a centralised group policy approach, rather than manually.

One simple way would be to create a new OU for your "cretin" users within the container that the users are currently in, and then create & apply a policy to that OU that sets a proxy server (pointing to a non-existent IP) for IE and also prevents changes to the IE connection settings. The problem with this being that it would apply to them on & off the terminal server. I don't know if that would work for you.

Other than that, I know of two methods of locking down Terminal Services in Svr2K3 - either apply a policy to the server itself in loopback processing mode - this applies to all users of the computer.
Or, create a separate set of users for ppl to use only on the terminal server, and lockdown those accounts using GPOs.

Let me know if you need more detail on any of the above...
We have another approach in use in our company: Use an ident daemon like that submits a user id to the proxy server. On the proxy server (linux) we have squid that only allows certain users to connect from certain IP adresses. There is no circumventing for the users. They could not even bring there own portable browsers :)
unisupportAuthor Commented:
budchawla, I have been investigating these methods which were somewhat different in sever 2000 which was the OS I replaced with the new server 2003. Could you explain in detail which GPO's need to be modified as I have made the changes to what seems to be the necessary ones with no luck.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Do you want to apply the policy to all users who log into that server, or only certain users?
unisupportAuthor Commented:
Its a group of thin clients that different users share so I would need to control access based on user credentials, so someone that is allowed internet acces is granted it where ever they log in and some one who is not allowed will be denied where ever they log in.
budchawlaCommented: will give you a lot of useful pointers, but to address your exact requirement:
Put your "cretin" users into an OU and assign it a GPO with the following setting:
User Config\Administrative Templates\System\Don't run specified Windows applications.... and enable that for iexplore.exe. That's the most basic and probably effective method.

If for some reason you have other browsers installed, then add those to the list.

Note: this will not cut off all internet-based comms, just browser-based access to the web.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.