Avatar of XAnalyzer
XAnalyzer
Flag for United States of America asked on

Group Policy (in IE) to ONLY ALLOW trusted site browsing

Hello, I have a Windows 2003 domain controller that I need to enable a GPO for my Windows 2003 terminal server that remote users log into.

I want to make sure that the remote users are ONLY able to browse to the sites I designate as allowed in Internet Explorer (i.e. webmail https). What is the best group policy setting to enable this? how do I make sure that they are not able to disable or modify the IE changes?

Currently I have an IE GPO that doesn't allow them to click certain menu items and other limitations utilizing Loopback so I am familiar with GPO however I do not know how to restrict browsing habits. Any help would be appreciated!
Remote AccessIT AdministrationWindows Server 2003Windows NetworkingActive Directory

Avatar of undefined
Last Comment
pwindell

8/22/2022 - Mon
XAnalyzer

ASKER
Anyone?
ASKER CERTIFIED SOLUTION
ChiefIT

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
XAnalyzer

ASKER
Hmm I am not sure ChiefIT if ACLs can be setup for this scheme;
I have a 4-port VPN router (RV042) first of all but I'm sure ACLs can be configured. The terminal server is running off regular port 3389 and web browsing is port 80. I do not want any users on Terminal Server (3389) to browse the web (80) except for 2-3 allowed sites. How would I setup an ACL to achieve this?
XAnalyzer

ASKER
"A problem with group policies is, you need to have the ADM templates for the correct versions of their internet explorer. BUT, this group policy does NOT provide a policy for a different web browser, like opera and firefox. So, even with the policy in place, remote users may still bypass your GPO's real easily. "

This isn't an issue because my terminal server is heavily locked down and no installations are possible (although downloads are). So we are using the latest Internet Explorer and no other browsers are permitted for install.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ChiefIT

Well group policies includes an OU that seek the server to determine a list of web sites. The policy itself acts as a proxy to that OU. So, Maybe this will work. The microsoft article explains how to set up the server as a proxy using GP.

http://support.microsoft.com/kb/556044
XAnalyzer

ASKER
Does not seem to work. Followed the instructions as per KB 556044 but all I see is "Detecting proxy settings..." and the websites load anyway.
ChiefIT

What IP did you list as your proxy server.

Remember, the article stated if you don't have a proxy, then use 0.0.0.0.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
XAnalyzer

ASKER
I tried 0.0.0.0 and 192.1681.200 (fake IP) and still no go. Even found a registry edit (http://support.microsoft.com/kb/306915) and still nothing.
XAnalyzer

ASKER
As you can see all the settings for GPO appear normal (loopback replace, fake proxy IP, etc.)
Capture.JPG
ChiefIT

The clients are getting the policy?

Have you checked to see if the proxy is passed down to your clients?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
pwindell

Ok,...looks like ChiefIT pretty much said the same thing,..sorry I didn't notice that at first.
Imal Upalakshitha

this adm template has more settings.see is there somthing that you are waiting for.
remove .zip and import it
Windows-SteadyState.adm.zip
XAnalyzer

ASKER
Not sure why, in theory, what I'm asking for cannot be done? It seems reasonable to assume that setting up a machine specific proxy gpo would block every site except the ones listed in the gpo whitelist settings? It's just not happening on the machine and not sure why hence the reluctance to award any PTS just yet.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
XAnalyzer

ASKER
Thank you all for your contributions though. Let's make this work!
pwindell

A "Proxy  GPO" is worthless without a proxy,...you don't have a proxy,...you said so yourself.

Security Zones do not block anything.  Security Zones enable or disable certain browser features,..and nothing more,...you can't block sites with Zones.  You are wasting your time trying to do it this way.
XAnalyzer

ASKER
@pwindell: do you have a better idea?

And in regards to your comments, even though I do not have a proxy, I'm setting one up albeit a fake one, so why can't it work? I want all sites EXCEPT one to redirect through a (fake) proxy meaning that it shouldn't take users anywhere. This is like setting a (fake) proxy server on a local workstation and having it go nowhere because proxy does not exist thus user goes nowhere (fyi- how malware works).
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
pwindell

You can't have a "fake" proxy.  You have to have a real proxy.  I tried to drive to work one day in my fake car but it would not start with the fake key  :-)    So I had to go buy a real car.
pwindell

This is like setting a (fake) proxy server on a local workstation and having it go nowhere because proxy does not exist thus user goes nowhere (fyi- how malware works).

I didn't really address that very well.  the normal behavor of IE when it has "proxy settings" is to first try the proxy,...if the proxy is not reachable then it tries to go direct,...hence you cannot "black-hole" sites like that.

The method you are probably thinking of is when you black-hole a Domain Name by putting the Domain in the local Hosts file with an address of 127.0.0.1