Solved

Group Policy (in IE) to ONLY ALLOW trusted site browsing

Posted on 2011-03-03
21
2,096 Views
Last Modified: 2012-05-11
Hello, I have a Windows 2003 domain controller that I need to enable a GPO for my Windows 2003 terminal server that remote users log into.

I want to make sure that the remote users are ONLY able to browse to the sites I designate as allowed in Internet Explorer (i.e. webmail https). What is the best group policy setting to enable this? how do I make sure that they are not able to disable or modify the IE changes?

Currently I have an IE GPO that doesn't allow them to click certain menu items and other limitations utilizing Loopback so I am familiar with GPO however I do not know how to restrict browsing habits. Any help would be appreciated!
0
Comment
Question by:XAnalyzer
  • 9
  • 6
  • 4
  • +1
21 Comments
 

Author Comment

by:XAnalyzer
Comment Utility
Anyone?
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 167 total points
Comment Utility
Working with trusted sites will not really give you the results you wish. This is why you are not seeing much response to this thread.  

The trusted sites tells the computer if you want to allow potentially operating system intrusive files to be run from the trusted site, (as in this case).
 http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23351830.html

Group policies can content filter, but it is combersome to control web filtering.
http://support.microsoft.com/kb/556044
______________________________________________________
With that said, you really should evaluate what you want to filter and maybe consider using the router as a filtering agent.

Routers can use ACLs (access control lists), on a specific port on the router. So, let's say you have a VPN connection on the router. You can permit what you want, and then deny everything thereafter on that port that services the VPN connection. This ensures local traffic is OK and the VPN port will not forward any requests to inside the network you do not want.

An alternative is web proxy, that Group policy can control, (as you can see in the microsoft article).

A problem with group policies is, you need to have the ADM templates for the correct versions of their internet explorer. BUT, this group policy does NOT provide a policy for a different web browser, like opera and firefox. So, even with the policy in place, remote users may still bypass your GPO's real easily.

This is the reason why I suggest ACLs on the router.


NOW, if you want to control all users (remote and local) in the same way, a WEB PROXY server is probably the best way to go.
0
 

Author Comment

by:XAnalyzer
Comment Utility
Hmm I am not sure ChiefIT if ACLs can be setup for this scheme;
I have a 4-port VPN router (RV042) first of all but I'm sure ACLs can be configured. The terminal server is running off regular port 3389 and web browsing is port 80. I do not want any users on Terminal Server (3389) to browse the web (80) except for 2-3 allowed sites. How would I setup an ACL to achieve this?
0
 

Author Comment

by:XAnalyzer
Comment Utility
"A problem with group policies is, you need to have the ADM templates for the correct versions of their internet explorer. BUT, this group policy does NOT provide a policy for a different web browser, like opera and firefox. So, even with the policy in place, remote users may still bypass your GPO's real easily. "

This isn't an issue because my terminal server is heavily locked down and no installations are possible (although downloads are). So we are using the latest Internet Explorer and no other browsers are permitted for install.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Well group policies includes an OU that seek the server to determine a list of web sites. The policy itself acts as a proxy to that OU. So, Maybe this will work. The microsoft article explains how to set up the server as a proxy using GP.

http://support.microsoft.com/kb/556044
0
 

Author Comment

by:XAnalyzer
Comment Utility
Does not seem to work. Followed the instructions as per KB 556044 but all I see is "Detecting proxy settings..." and the websites load anyway.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
What IP did you list as your proxy server.

Remember, the article stated if you don't have a proxy, then use 0.0.0.0.
0
 

Author Comment

by:XAnalyzer
Comment Utility
I tried 0.0.0.0 and 192.1681.200 (fake IP) and still no go. Even found a registry edit (http://support.microsoft.com/kb/306915) and still nothing.
0
 

Author Comment

by:XAnalyzer
Comment Utility
As you can see all the settings for GPO appear normal (loopback replace, fake proxy IP, etc.)
Capture.JPG
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
The clients are getting the policy?

Have you checked to see if the proxy is passed down to your clients?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 333 total points
Comment Utility
What somebody should have said from the begining is:,.....there is no such thing,...you cannot do what you are trying to do.  That is the only true honest answer to what you are specifically asking in the original question.

The Security Zones in the browser can not, and will not, block browsing to sites.  All the Security Zones do is determine what browser features are allowed to operate in conjunction with the Zone the Site is in.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Ok,...looks like ChiefIT pretty much said the same thing,..sorry I didn't notice that at first.
0
 
LVL 13

Expert Comment

by:upalakshitha
Comment Utility
this adm template has more settings.see is there somthing that you are waiting for.
remove .zip and import it
Windows-SteadyState.adm.zip
0
 

Author Comment

by:XAnalyzer
Comment Utility
Not sure why, in theory, what I'm asking for cannot be done? It seems reasonable to assume that setting up a machine specific proxy gpo would block every site except the ones listed in the gpo whitelist settings? It's just not happening on the machine and not sure why hence the reluctance to award any PTS just yet.
0
 

Author Comment

by:XAnalyzer
Comment Utility
Thank you all for your contributions though. Let's make this work!
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
A "Proxy  GPO" is worthless without a proxy,...you don't have a proxy,...you said so yourself.

Security Zones do not block anything.  Security Zones enable or disable certain browser features,..and nothing more,...you can't block sites with Zones.  You are wasting your time trying to do it this way.
0
 

Author Comment

by:XAnalyzer
Comment Utility
@pwindell: do you have a better idea?

And in regards to your comments, even though I do not have a proxy, I'm setting one up albeit a fake one, so why can't it work? I want all sites EXCEPT one to redirect through a (fake) proxy meaning that it shouldn't take users anywhere. This is like setting a (fake) proxy server on a local workstation and having it go nowhere because proxy does not exist thus user goes nowhere (fyi- how malware works).
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 333 total points
Comment Utility
I can think of two things,...one is free.  I actually use both of these in combination.

1. Use a Firewall or Proxy Server that is cable of sophisticated Access Control Rules.  Any business grade product should be able to do this.

2. Use OpenDNS (www.opendns.com).  This is a free Service.  You create an account with them and then in your account settings you specifiy things you want blocked based on the Catagory of the site.  They also have WhiteLists and BlackLists that you can add specific Sites to.  You then set the DNS Forwarder in your AD/DNS to be the IP#s of the OpenDNS's DNS Server and you're done.

Keep in mind that filtering with the OpenDNS Service is Global,...it is not possible to have different settings for different users.  But with a Firewall or Proxy you can get more granular.  However it is humanly impossible for you to maintain catagory lists of sites that are good, bad, evil, or indifferent,....so you simply cannot get "carried away" with trying to do all that yourself on a Firewall or Proxy.   That is why I combine both methods together at our place,...I run MS's ISA2006 as our firewall and combine that with with OpenDNS.

I tried using GPO with the IE Zones once in the past for different reason than you,..but it was a total waste of time,...plus it removed the ability to add/remove Zone items locally manually,...meaning I had to be responsible for everyone's zone from then on and try to keep everyone "happy".  So that ended pretty fast
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
You can't have a "fake" proxy.  You have to have a real proxy.  I tried to drive to work one day in my fake car but it would not start with the fake key  :-)    So I had to go buy a real car.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
This is like setting a (fake) proxy server on a local workstation and having it go nowhere because proxy does not exist thus user goes nowhere (fyi- how malware works).

I didn't really address that very well.  the normal behavor of IE when it has "proxy settings" is to first try the proxy,...if the proxy is not reachable then it tries to go direct,...hence you cannot "black-hole" sites like that.

The method you are probably thinking of is when you black-hole a Domain Name by putting the Domain in the local Hosts file with an address of 127.0.0.1

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Email signature management is something that is often overlooked in many organizations or is simply not implemented effectively. Let's take a look at what methods are available for managing this important piece of corporate branding.
Let’s list some of the technologies that enable smooth teleworking. 
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now