Link to home
Start Free TrialLog in
Avatar of XAnalyzer
XAnalyzerFlag for United States of America

asked on

Group Policy (in IE) to ONLY ALLOW trusted site browsing

Hello, I have a Windows 2003 domain controller that I need to enable a GPO for my Windows 2003 terminal server that remote users log into.

I want to make sure that the remote users are ONLY able to browse to the sites I designate as allowed in Internet Explorer (i.e. webmail https). What is the best group policy setting to enable this? how do I make sure that they are not able to disable or modify the IE changes?

Currently I have an IE GPO that doesn't allow them to click certain menu items and other limitations utilizing Loopback so I am familiar with GPO however I do not know how to restrict browsing habits. Any help would be appreciated!
Avatar of XAnalyzer
XAnalyzer
Flag of United States of America image

ASKER

Anyone?
ASKER CERTIFIED SOLUTION
Avatar of ChiefIT
ChiefIT
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hmm I am not sure ChiefIT if ACLs can be setup for this scheme;
I have a 4-port VPN router (RV042) first of all but I'm sure ACLs can be configured. The terminal server is running off regular port 3389 and web browsing is port 80. I do not want any users on Terminal Server (3389) to browse the web (80) except for 2-3 allowed sites. How would I setup an ACL to achieve this?
"A problem with group policies is, you need to have the ADM templates for the correct versions of their internet explorer. BUT, this group policy does NOT provide a policy for a different web browser, like opera and firefox. So, even with the policy in place, remote users may still bypass your GPO's real easily. "

This isn't an issue because my terminal server is heavily locked down and no installations are possible (although downloads are). So we are using the latest Internet Explorer and no other browsers are permitted for install.
Well group policies includes an OU that seek the server to determine a list of web sites. The policy itself acts as a proxy to that OU. So, Maybe this will work. The microsoft article explains how to set up the server as a proxy using GP.

http://support.microsoft.com/kb/556044
Does not seem to work. Followed the instructions as per KB 556044 but all I see is "Detecting proxy settings..." and the websites load anyway.
What IP did you list as your proxy server.

Remember, the article stated if you don't have a proxy, then use 0.0.0.0.
I tried 0.0.0.0 and 192.1681.200 (fake IP) and still no go. Even found a registry edit (http://support.microsoft.com/kb/306915) and still nothing.
As you can see all the settings for GPO appear normal (loopback replace, fake proxy IP, etc.)
Capture.JPG
The clients are getting the policy?

Have you checked to see if the proxy is passed down to your clients?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ok,...looks like ChiefIT pretty much said the same thing,..sorry I didn't notice that at first.
Avatar of Imal Upalakshitha
this adm template has more settings.see is there somthing that you are waiting for.
remove .zip and import it
Windows-SteadyState.adm.zip
Not sure why, in theory, what I'm asking for cannot be done? It seems reasonable to assume that setting up a machine specific proxy gpo would block every site except the ones listed in the gpo whitelist settings? It's just not happening on the machine and not sure why hence the reluctance to award any PTS just yet.
Thank you all for your contributions though. Let's make this work!
A "Proxy  GPO" is worthless without a proxy,...you don't have a proxy,...you said so yourself.

Security Zones do not block anything.  Security Zones enable or disable certain browser features,..and nothing more,...you can't block sites with Zones.  You are wasting your time trying to do it this way.
@pwindell: do you have a better idea?

And in regards to your comments, even though I do not have a proxy, I'm setting one up albeit a fake one, so why can't it work? I want all sites EXCEPT one to redirect through a (fake) proxy meaning that it shouldn't take users anywhere. This is like setting a (fake) proxy server on a local workstation and having it go nowhere because proxy does not exist thus user goes nowhere (fyi- how malware works).
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You can't have a "fake" proxy.  You have to have a real proxy.  I tried to drive to work one day in my fake car but it would not start with the fake key  :-)    So I had to go buy a real car.
This is like setting a (fake) proxy server on a local workstation and having it go nowhere because proxy does not exist thus user goes nowhere (fyi- how malware works).

I didn't really address that very well.  the normal behavor of IE when it has "proxy settings" is to first try the proxy,...if the proxy is not reachable then it tries to go direct,...hence you cannot "black-hole" sites like that.

The method you are probably thinking of is when you black-hole a Domain Name by putting the Domain in the local Hosts file with an address of 127.0.0.1