Group policy to control web access

Hi Experts

I am running Windows SBS 2003 server with mainly XP desktop.  

Is there anyway I can control access to the internet through group policy?   On some machines I would like to restrict access to internet explorer completely - is it safe to do this by adding iexplore to list of programs which cannot be started.

On some other machines I would like to create a list of websites which are allowed to be accessed.   Other than these 3 sites there should be no access.

I can do this already through my Draytek 5510 router but it can only be configured to control PC by IP addresses and I need to be able to do it at user level, so that when a user with elevated access rights logs in they can access all web sites.

thanks
Jon
JonYenAsked:
Who is Participating?
 
DonNetwork AdministratorCommented:
similar as below
proxy.png
0
 
DonNetwork AdministratorCommented:
Configure a group policy to point to a non-existent proxy(127.0.0.1 for example) for the users that you want to deny all access to.


For the users that you want to allow a few sites to, create another GPO the same way except that you can add the 3 sites you want to allow in the exception list.
0
 
Cliff GaliherCommented:
You cannot *reliably* use group policy to control internet access. The reason is that anything you do via group policy is easily bypassed. The only real way to control access to the internet is *at* the internet connection...aka a proxy server or firewall. You should look at either replacing the Draytek or adding another proxy between the Draytek and your network. There are proxy servers and firewalls that are Active-Directory aware and can filter by user. Microsoft's TMG 2010 is clearly the easiest to integrate as an MS technology, but SonicWall, Watchguard, and other UTM device manufacturers offer AD integration at verious levels. Or you could look at building a proxy box and running something like Untangle (an open-source linux proxy setup) that has a paid add-on for AD.

-Cliff
0
 
JonYenAuthor Commented:
Hi Cliff

The suggestion from dstewart seems like quite an elegant workaround to me - why do you think this wouldnt be reliable?   What methods could users employ to get bypass this?

thanks
Jon
0
 
Cliff GaliherCommented:
Not all programs pay attention to proxy settings, and bypassing them is trivial...and could even be unintentional.

Example: sandisk sells a thumb drive that comes with several portable apos pre-installed. Quite handy.  Portable firefox, with flash, will happily ignore your proxy settings, access whatever site it wants, and with new flash vulnerabilities surfacing on a near daily basis, your network is at just as much risk ass if you did nothing at all.

That is merely an example, and by no means the only way. A business network NEEDS business class protection, and most SMB firewalls worth theirnsalt offer AD integration, so if you can't accomplish this with your firewall already, that is a good sign that you have bigger concerns.

-Cliff

-Cliff
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.