Group Policy

... see http://www.howtonetworking.com/Internet/restrictie11.htm
for details of the GPO settings

I wish i could copy paste the solution from other sites - but i personally do not want to be a GURU of some thing written by some one else.

So, here are couple of links - which should make things crystal clear (it is as detailed as right click create new users)

1) http://www.howtonetworking.com/Internet/restrictie11.htm

2) https://www.experts-exchange.com/questions/23059014/Can-group-policy-be-used-to-restrict-internet-access-to-certain-users-or-pc's.html

3) http://technet.microsoft.com/en-us/magazine/cc160780.aspx

4) http://www.itnewsgroups.net/group/microsoft.public.windows.server.general/topic8080.aspx

5) http://www.theeldergeek.com/forum/index.php?showtopic=31368

If you still have problems understanding - please post your doubts and we would be glad to answer.

>> I wish i could copy paste the solution from other sites - but i personally do not want to be a GURU of some thing written by some one else <<

Its perfectly acceptable to refer users to other sites - after all no point in re-inventing the wheel, what is not acceptable if to implictly critisie other users and then post the SAME link !

You can apply GPO's to groups.  

I do this all the time.  The trick is to deny/allow read and/or apply security permissions to the viarous OU's to which you have applied the GPO.

As I stated earlier, Its NOT good practice to use security filtering like this on a routine basis , it can get very confusing and is almost always unnecessary, its a bit like using the DENY permission on a file or folder in that respect.

Extensive use of security filtering is almost always indicative of a badly thought out OU structure.

To expand on what I mean create two GPO policies; one for shop admins and one for junior staff.

Policy 1 - let's call it my-shop-admins-corp

• go to the security tab of the policy and add the group to which your shop admins belong
• Go to the delegation tab and click on advanced
• Click on advanced once again
• deselect the check box "inherit permissions"
• click on COPY
• click on apply
  
• Now remove the group authenticated users

Policy 2 - let's call it my-shop-jr_staff-corp

• go to the security tab of the policy and add the group to which your shop admins belong
• Go to the delegation tab and click on advanced
• Click on advanced once again
• deselect the check box "inherit permissions"
• click on COPY
• click on apply
• Now remove the group authenticated users
• open the GPO and browse to the following section
• • Users Config\Administrative Templates\System
• Look for the setting "Don't Run Specified Applications"
• • Enable the policy
  • Add the Application iexplore.exe

Let's agree to disagree, I have been using this on hundreds of computers in my domain for the past three years.  Yes it can become overwhelming if not documented.  But if the options weren't there to be used it would not be.

it IS bad practice - no doubt about that - it is designed to be used when there is no other realistic way of achiving the desired results - again I would compare it to using the DENY option in permissions.

Yes its there to be used - but it needs to be used in the correct context, If you apply all policies at the domain and then use security filtering it is very inefficient and difficult to see exactly which policies are applying to what. OUs are also there for a reason ans that reason is to simplify the planning and assignment of group policies.

I do not have this filtering set for the entire domain.  It is set for a specific OU to which I have mulitiple users for which I require policies to apply to some users and not others of the same department.  

My Organization(multi-national, over 10 000 computers) did research and approve of this method I have suggested for my local OU to which it is applied.

Caution is to be used, I agree, but it can be done...