Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 367
  • Last Modified:

How do I prevent internet access to ONE user on the domain

Using SBS2008, is there a way to prevent internet access to one user?  I don't want this user to access the interent at all. they still need access to the network for various shared folers on the server but no web access. Is there a way to pull this off?
0
Mcottuli
Asked:
Mcottuli
  • 3
  • 3
  • 2
  • +5
1 Solution
 
Rob WilliamsCommented:
If they are using DHCP the simplest thing is to set up a DHCP reservation for that user. Within the reservation set a non-existent gateway address. If you need a hand as to how to configure reservations let us know.
0
 
ormerodrutterCommented:
I think the best way is to use Group Policy to restrict running of IE. However if you are new to GPs it may take you a few trail and error before getting it right. Remember, you need to setup a group policy first, then apply it to that user (or group).

I would prefer putting that yourself in a new group, so that if in future you need to do the same to other user(s) you can put them into the same group and GPs will apply to them all.

Alternatively, you may set this at firewall level, to restrict by IP address. You will have to give this computer a fixed IP though. It is not ideal because it is machine based.
0
 
Darius GhassemCommented:
You can create a GPO the gives the user a false proxy server which will direct them to a false IP address.

User configuration>Windows Settings>Internet Explorer Maintenance>Connection
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
IvanSystem EngineerCommented:
Hi,

If that user is only using IE than you can set some fake proxy server address, in  IE, wich will then be unable to resolve web addresses.
Same thing can be done on proxy server, with some new group that will have blocked internet access.
0
 
mijanousCommented:
How the users are connecting to the internet and what is your server for...
0
 
wolfcamelCommented:
the proxy server idea is good, if you still want them to be able to access sharepoint, as you can set the option bypass proxy for local addresses.
You may still have an issue if they try to install firefox etc - so make sure they arent local administrators so they cant install software.
0
 
McottuliAuthor Commented:
I would like to use the Group Policy method. I have set up a group that only this user exists under. What is the process from this point?
0
 
McottuliAuthor Commented:
Ok per the last link I've created a group policy with just this user and the group that I've created the user for in it. Under IE maintenance/ connections/ proxy Settings I enabled Proxies with the IP of 127.0.0.1. ran GPupdate /force and the user under that group still can access the internet. Any thoughts?
0
 
FastFngrzCommented:
the easy way is to take that PC off DHCP and manually code their IP, Subnet and DNS servers.  Leave the default gateway empty!
0
 
ormerodrutterCommented:
Using IP is machine based, using GPO is user based.

So, if the computer is dedicated only to that user you can try the IP method. However, if you grant user local admin right and he knows a bit in IT he will be able to get himself "back online" within minutes. Also, no other user will be able to use internet on that machine.

Using the GPO way is more reliable, no matter he is the local admin or not as long as you don't grant him the Domain Admin right he can't get internet, regardless which computer he logs in (only computers in your domain, not his own laptop that he brought it from home).

I think you haven't successfully applied the policy to that user group. Also, use has to log out/in for GP to take in effect.
0
 
Rob WilliamsCommented:
I had suggested DHCP reservations as it is centrally managed and hopefully the user is not an admin, or as ormerodrutter said they could easily make the necessary changes. However, one advantage of a user based GPO is the user cannot log on to another machine to make use of the Internet. Assuming they log onto another machine with their user name and password, they would be blocked by the GPO there as well. DHCP reservation is a 2 second change but for long term management I would have to agree a GPO is the better option.

Make sure you document it. An IT person following you a year latter may curse you trying to locate what you did :-)
0
 
FastFngrzCommented:
The GPO method will only work with Internet Explorer! What about Firefox and Chrome and AOL IM and Skype, etc, etc, etc?  

Are you trying to block the user or the computer?  Are you trying to block just web browsing or every-stinkin-thing?

Yes, my thought about editing the local IP stack will be moot if the user is a local admin (or can boot into another OS)   The only 90% method is to block the PC's IP address or user at the firewall, away from the user's control.  Of course, the user could just change their local IP address then, eh?  Especially if they are local admin.  And if they're local admin, they'll just stop GPO processing, or write a script to re-do the proxy every few minutes just after GPO's are applied!

IP based filtering (when you know the IP address of the workstation by hard coding or DHCP reservation) is easy, and any firewall can handle that.  User based filtering is MUCH more complicated, cause then it will force all users to authenticate - either explicitly or via their login credentials.  

Either way, you'll need management to back you up, so that should the user circumvent whatever technology you put in place, you have the 'teeth' to take corrective action.
0
 
Rob WilliamsCommented:
The other option if the user/s use only one machine (one IP) many routers allow you to block some or all access to the internet.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 3
  • 2
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now