Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How do I prevent  internet access to ONE user on the domain

Posted on 2010-09-20
14
Medium Priority
?
356 Views
Last Modified: 2012-06-21
Using SBS2008, is there a way to prevent internet access to one user?  I don't want this user to access the interent at all. they still need access to the network for various shared folers on the server but no web access. Is there a way to pull this off?
0
Comment
Question by:Mcottuli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +5
14 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33716047
If they are using DHCP the simplest thing is to set up a DHCP reservation for that user. Within the reservation set a non-existent gateway address. If you need a hand as to how to configure reservations let us know.
0
 
LVL 23

Expert Comment

by:ormerodrutter
ID: 33716087
I think the best way is to use Group Policy to restrict running of IE. However if you are new to GPs it may take you a few trail and error before getting it right. Remember, you need to setup a group policy first, then apply it to that user (or group).

I would prefer putting that yourself in a new group, so that if in future you need to do the same to other user(s) you can put them into the same group and GPs will apply to them all.

Alternatively, you may set this at firewall level, to restrict by IP address. You will have to give this computer a fixed IP though. It is not ideal because it is machine based.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33716140
You can create a GPO the gives the user a false proxy server which will direct them to a false IP address.

User configuration>Windows Settings>Internet Explorer Maintenance>Connection
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 17

Expert Comment

by:Ivan
ID: 33716148
Hi,

If that user is only using IE than you can set some fake proxy server address, in  IE, wich will then be unable to resolve web addresses.
Same thing can be done on proxy server, with some new group that will have blocked internet access.
0
 
LVL 1

Expert Comment

by:mijanous
ID: 33716163
How the users are connecting to the internet and what is your server for...
0
 
LVL 20

Expert Comment

by:wolfcamel
ID: 33716236
the proxy server idea is good, if you still want them to be able to access sharepoint, as you can set the option bypass proxy for local addresses.
You may still have an issue if they try to install firefox etc - so make sure they arent local administrators so they cant install software.
0
 
LVL 1

Author Comment

by:Mcottuli
ID: 33716942
I would like to use the Group Policy method. I have set up a group that only this user exists under. What is the process from this point?
0
 
LVL 23

Accepted Solution

by:
ormerodrutter earned 2000 total points
ID: 33717138
0
 
LVL 1

Author Comment

by:Mcottuli
ID: 33718311
Ok per the last link I've created a group policy with just this user and the group that I've created the user for in it. Under IE maintenance/ connections/ proxy Settings I enabled Proxies with the IP of 127.0.0.1. ran GPupdate /force and the user under that group still can access the internet. Any thoughts?
0
 
LVL 11

Expert Comment

by:FastFngrz
ID: 33720425
the easy way is to take that PC off DHCP and manually code their IP, Subnet and DNS servers.  Leave the default gateway empty!
0
 
LVL 23

Expert Comment

by:ormerodrutter
ID: 33723108
Using IP is machine based, using GPO is user based.

So, if the computer is dedicated only to that user you can try the IP method. However, if you grant user local admin right and he knows a bit in IT he will be able to get himself "back online" within minutes. Also, no other user will be able to use internet on that machine.

Using the GPO way is more reliable, no matter he is the local admin or not as long as you don't grant him the Domain Admin right he can't get internet, regardless which computer he logs in (only computers in your domain, not his own laptop that he brought it from home).

I think you haven't successfully applied the policy to that user group. Also, use has to log out/in for GP to take in effect.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33724474
I had suggested DHCP reservations as it is centrally managed and hopefully the user is not an admin, or as ormerodrutter said they could easily make the necessary changes. However, one advantage of a user based GPO is the user cannot log on to another machine to make use of the Internet. Assuming they log onto another machine with their user name and password, they would be blocked by the GPO there as well. DHCP reservation is a 2 second change but for long term management I would have to agree a GPO is the better option.

Make sure you document it. An IT person following you a year latter may curse you trying to locate what you did :-)
0
 
LVL 11

Expert Comment

by:FastFngrz
ID: 33725718
The GPO method will only work with Internet Explorer! What about Firefox and Chrome and AOL IM and Skype, etc, etc, etc?  

Are you trying to block the user or the computer?  Are you trying to block just web browsing or every-stinkin-thing?

Yes, my thought about editing the local IP stack will be moot if the user is a local admin (or can boot into another OS)   The only 90% method is to block the PC's IP address or user at the firewall, away from the user's control.  Of course, the user could just change their local IP address then, eh?  Especially if they are local admin.  And if they're local admin, they'll just stop GPO processing, or write a script to re-do the proxy every few minutes just after GPO's are applied!

IP based filtering (when you know the IP address of the workstation by hard coding or DHCP reservation) is easy, and any firewall can handle that.  User based filtering is MUCH more complicated, cause then it will force all users to authenticate - either explicitly or via their login credentials.  

Either way, you'll need management to back you up, so that should the user circumvent whatever technology you put in place, you have the 'teeth' to take corrective action.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33725802
The other option if the user/s use only one machine (one IP) many routers allow you to block some or all access to the internet.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question