?
Solved

W2K3, Terminal Services, and Internet Explorer

Posted on 2009-05-05
5
Medium Priority
?
729 Views
Last Modified: 2013-11-21
Hello all,
I have a client that has a Windows 2003 R2 server that is running terminal services.  All users access this server via terminal services.
I want to deny access to any of the users in the non_admin group from being able to run Internet Explorer to surf the web, etc.  Here is the monkey wrench in this whole procedure.  The canned software uses parts of Internet Explorer in order to show different things like scanned insurance cards, etc., but there is no place to get to the internet on those pages.
I have tried doing an explicit deny on the iexplore.exe file but when I do that then those users that go to look at things like scanned insurance cards get an error.
I have also tried going in and setting a different proxy setting, but that doesn't work since thsi server is pointed at the DNS server in the domain for internet.
I have also tried going in to the GPO and under the user configuration setting to deny running iexplore.exe.  That works partially.  If they double click on the Internet Explorer icon it stops them running IE, but if they click on the IE icon in the Quick Launch then it does not work.
Any ideas on what I could do?
Thanks,
Kelly W.
0
Comment
Question by:Kelly_W
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 24303971


Since you cannot prevent them from running ie, as it is needed for other content, maybe try content advisor

HOW TO: Use the Internet Explorer 6 Content Advisor to Control Access to Web Sites in Internet Explorer
http://support.microsoft.com/kb/310401

Mark
0
 
LVL 4

Author Comment

by:Kelly_W
ID: 24304013
Hello,
With content advisor can you do this:
1) from a GPO,
2) from the administrator of the domain and it flows to everyone,
3)  or do you have to do it from every single logon.
I really do not want to do step 3 as we have over 200 users and I don't really want to sign on as each individual user.
Thanks,
Kelly W.
0
 
LVL 10

Accepted Solution

by:
JaredJ1 earned 2000 total points
ID: 24312840
The proxy server idea should work. In fact, I have just tested it and it works perfectly. Make sure that you enable a proxy server, and enter in an invalid proxy name or ip address, e.g. "crapproxy.local", port 8000
Once done you may need to enter in an exception so that your application can access the local content. For example, if your app is looking for images on a server share "\\ServerA\Share" you would need to list "ServerA" in your proxy exception list. Once done the users wont be able to access the internet although they will be able to launch IE (and the app will also be able to display it's necessary content).

If you apply via group policy you can lock it down so that the users are unable to change the proxy settings. You can also filter the group policy so that it doesn't apply to administrators.
0
 
LVL 4

Author Closing Comment

by:Kelly_W
ID: 31577984
Instead of using IP address 0.0.0.0 I did 1.1.1.1 with a port of 12345  It worked beautifully.
0
 

Expert Comment

by:GospodinRasputin
ID: 24785687
Hi jaredJ1,
I have a similar situation here but could not follow your answer. Which proxy server idea should work. I can't see any prior mention of a suggestion to point the proxy server to and invalid IP/address. Are you referring the proxy server settings within GPO?
Thank you
GospodinRasputin
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses
Course of the Month12 days, 17 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question