Solved

How do I prevent  internet access to ONE user on the domain

Posted on 2010-09-20
14
341 Views
Last Modified: 2012-06-21
Using SBS2008, is there a way to prevent internet access to one user?  I don't want this user to access the interent at all. they still need access to the network for various shared folers on the server but no web access. Is there a way to pull this off?
0
Comment
Question by:Mcottuli
  • 3
  • 3
  • 2
  • +5
14 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
If they are using DHCP the simplest thing is to set up a DHCP reservation for that user. Within the reservation set a non-existent gateway address. If you need a hand as to how to configure reservations let us know.
0
 
LVL 23

Expert Comment

by:ormerodrutter
Comment Utility
I think the best way is to use Group Policy to restrict running of IE. However if you are new to GPs it may take you a few trail and error before getting it right. Remember, you need to setup a group policy first, then apply it to that user (or group).

I would prefer putting that yourself in a new group, so that if in future you need to do the same to other user(s) you can put them into the same group and GPs will apply to them all.

Alternatively, you may set this at firewall level, to restrict by IP address. You will have to give this computer a fixed IP though. It is not ideal because it is machine based.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
You can create a GPO the gives the user a false proxy server which will direct them to a false IP address.

User configuration>Windows Settings>Internet Explorer Maintenance>Connection
0
 
LVL 15

Expert Comment

by:Ivan
Comment Utility
Hi,

If that user is only using IE than you can set some fake proxy server address, in  IE, wich will then be unable to resolve web addresses.
Same thing can be done on proxy server, with some new group that will have blocked internet access.
0
 
LVL 1

Expert Comment

by:mijanous
Comment Utility
How the users are connecting to the internet and what is your server for...
0
 
LVL 20

Expert Comment

by:wolfcamel
Comment Utility
the proxy server idea is good, if you still want them to be able to access sharepoint, as you can set the option bypass proxy for local addresses.
You may still have an issue if they try to install firefox etc - so make sure they arent local administrators so they cant install software.
0
 
LVL 1

Author Comment

by:Mcottuli
Comment Utility
I would like to use the Group Policy method. I have set up a group that only this user exists under. What is the process from this point?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 23

Accepted Solution

by:
ormerodrutter earned 500 total points
Comment Utility
0
 
LVL 1

Author Comment

by:Mcottuli
Comment Utility
Ok per the last link I've created a group policy with just this user and the group that I've created the user for in it. Under IE maintenance/ connections/ proxy Settings I enabled Proxies with the IP of 127.0.0.1. ran GPupdate /force and the user under that group still can access the internet. Any thoughts?
0
 
LVL 11

Expert Comment

by:FastFngrz
Comment Utility
the easy way is to take that PC off DHCP and manually code their IP, Subnet and DNS servers.  Leave the default gateway empty!
0
 
LVL 23

Expert Comment

by:ormerodrutter
Comment Utility
Using IP is machine based, using GPO is user based.

So, if the computer is dedicated only to that user you can try the IP method. However, if you grant user local admin right and he knows a bit in IT he will be able to get himself "back online" within minutes. Also, no other user will be able to use internet on that machine.

Using the GPO way is more reliable, no matter he is the local admin or not as long as you don't grant him the Domain Admin right he can't get internet, regardless which computer he logs in (only computers in your domain, not his own laptop that he brought it from home).

I think you haven't successfully applied the policy to that user group. Also, use has to log out/in for GP to take in effect.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I had suggested DHCP reservations as it is centrally managed and hopefully the user is not an admin, or as ormerodrutter said they could easily make the necessary changes. However, one advantage of a user based GPO is the user cannot log on to another machine to make use of the Internet. Assuming they log onto another machine with their user name and password, they would be blocked by the GPO there as well. DHCP reservation is a 2 second change but for long term management I would have to agree a GPO is the better option.

Make sure you document it. An IT person following you a year latter may curse you trying to locate what you did :-)
0
 
LVL 11

Expert Comment

by:FastFngrz
Comment Utility
The GPO method will only work with Internet Explorer! What about Firefox and Chrome and AOL IM and Skype, etc, etc, etc?  

Are you trying to block the user or the computer?  Are you trying to block just web browsing or every-stinkin-thing?

Yes, my thought about editing the local IP stack will be moot if the user is a local admin (or can boot into another OS)   The only 90% method is to block the PC's IP address or user at the firewall, away from the user's control.  Of course, the user could just change their local IP address then, eh?  Especially if they are local admin.  And if they're local admin, they'll just stop GPO processing, or write a script to re-do the proxy every few minutes just after GPO's are applied!

IP based filtering (when you know the IP address of the workstation by hard coding or DHCP reservation) is easy, and any firewall can handle that.  User based filtering is MUCH more complicated, cause then it will force all users to authenticate - either explicitly or via their login credentials.  

Either way, you'll need management to back you up, so that should the user circumvent whatever technology you put in place, you have the 'teeth' to take corrective action.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
The other option if the user/s use only one machine (one IP) many routers allow you to block some or all access to the internet.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
A procedure for exporting installed hotfix details of remote computers using powershell
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now