I tried something yesterday that didn't work very well and I'm hoping you can spot the error.
A client of ours wanted to lock down the internet for their users while keeping the managers free to do whatever.
There are 2 DNS servers there. One forwards out to the internet and I configured the second as a forwarder to opendns.com. DNS2 was configured as a secondary zone to DNS1. I put the 4 XP computer accounts into their own OU and applied a group policy to assign DNS2 as their DNS server.
When the policy replicated, however, they didn't have access to their main database (hosted on DNS1) or the Internet.
I ended up having to undo the whole solution last night and now we're back where we started - with DNS2 disabled and all machines pointing to DNS1.
What do you guys think?