So the situation is I have a group of computer that I need to restrict internet access on. I would like to do this in Group Policy so that I can just add a computer to the group if I need this to apply to further computers in the future. After trying numerous "solutions" the only one that I have found to work is the following:
In group policy navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Software restrictions
From there I created a new software restriction policy and it created a Security Levels and an Additional Rules. Under the additional rules I tried creating a Network Zone Rule for "internet" and that did not work. I also tried creating a New Hash Rule and navigating to the iexplorer.exe. It populated the data correctly but when I tested it the computers could still open internet explorer. Finaly I added a New Path Rule and selected the entire Internet explorer folder. This worked when I tested it, giving me the message that this application was blocked by group policy.
So after this I noticed that any user could go into that folder and copy the .exe to a different location or bring in a different .exe and run this and it would work fine.
So my question is how do I prevent this from running period, no matter where the executable is? I know I can sit down at each machine and spoof the connection settings to run at a fake proxy and then disable them from changing the connection settings but I don't want to have to go to each computer and change this. I know there is a setting under user configuration to do this but I want it to be on a per computer basis, not per user basis. In addition when I tested this out on a single user account it still did not apply the settings.
I believe that the AD and Group Policy is from a Windows Server 2003 format and the machines that we are doing this on are Windows 7.