how to restrict browsing the internet from client machines

I would like to block the internet browsing of 7 out of 9 users on the network, but the machines should be able to access the internet to automatically update the antivirus.

the server is Microsoft Windows Server 2003 R2.
Client Machines are Windows XP Professional.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

B HCommented:
does your router/firewall device support this?  that would be best.

we use the zyxel zywall 2, it allows for you to specify which ip addresses can access which sites, or deny all sites except a specified list... or block certain sites but allow everything else... etc

there isn't anything built-in to windows that will allow for you to do this...
you can use a group policy to set a proxy setting in internet explorer - set it to something that doesnt exist or isnt a real proxy.
alternatively - to block some sites for all users - put a dns entry in on your server so when they try to go to the site it wont come up.

each of these methods isnt perfect - ideally you need to run a firewall or proxy server that integrates with active directory.
DonNetwork AdministratorCommented:
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

B HCommented:
any dns solution is going to require entering every possible domain/host name and setting them to or something invalid

steadystate is awesome for locking down what users can do on the machine but i dont see how it can lock down web browsing

turning on a proxy will prevent windows update, and might mess with other 3rd party programs that rely on the IE proxy settings
DonNetwork AdministratorCommented:
"any dns solution is going to require entering every possible domain/host  name and setting them to or something invalid"

No it is not!!!
DonNetwork AdministratorCommented:
"steadystate is awesome for locking down what users can do on the machine  but i dont see how it can lock down web browsing"

Web addresses allowed option


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ozzie101Author Commented:

what about using " Set Program Access and defaults " within Windows XP?

if I restrict Internet Explorer, would my antivirus update automatically?
B HCommented:
windows updates will run even if you set the default web browser to something else

set program access and defaults is just saying what programs you want things to open in, not weather or not it should be allowed
DonNetwork AdministratorCommented:
Try Steady state with the "Prevent internet access(except websites below)" option.

Steady state is free and from microsoft and also has the option of "Windows Disk Protection" which is comparable to Deep Freeze
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.