I have a client that has a Windows 2003 R2 server that is running terminal services. All users access this server via terminal services.
I want to deny access to any of the users in the non_admin group from being able to run Internet Explorer to surf the web, etc. Here is the monkey wrench in this whole procedure. The canned software uses parts of Internet Explorer in order to show different things like scanned insurance cards, etc., but there is no place to get to the internet on those pages.
I have tried doing an explicit deny on the iexplore.exe file but when I do that then those users that go to look at things like scanned insurance cards get an error.
I have also tried going in and setting a different proxy setting, but that doesn't work since thsi server is pointed at the DNS server in the domain for internet.
I have also tried going in to the GPO and under the user configuration setting to deny running iexplore.exe. That works partially. If they double click on the Internet Explorer icon it stops them running IE, but if they click on the IE icon in the Quick Launch then it does not work.
Any ideas on what I could do?