How to block terminal server clients from using the internet

Posted on 2007-10-05
Last Modified: 2013-12-04
I am using Windows 2003 Server R2 as a primary domain controller and a terminal server I need to know how to block cretin clients from the internet while letting others connect
Question by:unisupport
    LVL 10

    Accepted Solution

    I assume you want to do this via a centralised group policy approach, rather than manually.

    One simple way would be to create a new OU for your "cretin" users within the container that the users are currently in, and then create & apply a policy to that OU that sets a proxy server (pointing to a non-existent IP) for IE and also prevents changes to the IE connection settings. The problem with this being that it would apply to them on & off the terminal server. I don't know if that would work for you.

    Other than that, I know of two methods of locking down Terminal Services in Svr2K3 - either apply a policy to the server itself in loopback processing mode - this applies to all users of the computer.
    Or, create a separate set of users for ppl to use only on the terminal server, and lockdown those accounts using GPOs.

    Let me know if you need more detail on any of the above...
    LVL 52

    Expert Comment

    We have another approach in use in our company: Use an ident daemon like that submits a user id to the proxy server. On the proxy server (linux) we have squid that only allows certain users to connect from certain IP adresses. There is no circumventing for the users. They could not even bring there own portable browsers :)
    LVL 1

    Author Comment

    budchawla, I have been investigating these methods which were somewhat different in sever 2000 which was the OS I replaced with the new server 2003. Could you explain in detail which GPO's need to be modified as I have made the changes to what seems to be the necessary ones with no luck.
    LVL 10

    Expert Comment

    Do you want to apply the policy to all users who log into that server, or only certain users?
    LVL 1

    Author Comment

    Its a group of thin clients that different users share so I would need to control access based on user credentials, so someone that is allowed internet acces is granted it where ever they log in and some one who is not allowed will be denied where ever they log in.
    LVL 10

    Expert Comment

    by:budchawla will give you a lot of useful pointers, but to address your exact requirement:
    Put your "cretin" users into an OU and assign it a GPO with the following setting:
    User Config\Administrative Templates\System\Don't run specified Windows applications.... and enable that for iexplore.exe. That's the most basic and probably effective method.

    If for some reason you have other browsers installed, then add those to the list.

    Note: this will not cut off all internet-based comms, just browser-based access to the web.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
    This video discusses moving either the default database or any database to a new volume.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now