ramachandraraju
asked on
url blocking through group policy in windows server 2003 domain
hi
in my office we are using domain. windows server 2003 r3. we have windows 2000 professional, windows xp, windows vista clients.
we dont have any proxy server.
i am implementing group policies for restriction. i want to implement a policy like,
1. i want to block some sites to some users, remaining users should access those sites.
2. i want to allow only specified sites for some users according to their department.
i created OU according to the departments. only the thing i need to apply group policies through domain.
in my office, we are using IE6, IE7, IE8, OPERA, Firefox, Crome. i need a policy that should applicable to all the browsers.
please help me to solve this.
Thanks
in my office we are using domain. windows server 2003 r3. we have windows 2000 professional, windows xp, windows vista clients.
we dont have any proxy server.
i am implementing group policies for restriction. i want to implement a policy like,
1. i want to block some sites to some users, remaining users should access those sites.
2. i want to allow only specified sites for some users according to their department.
i created OU according to the departments. only the thing i need to apply group policies through domain.
in my office, we are using IE6, IE7, IE8, OPERA, Firefox, Crome. i need a policy that should applicable to all the browsers.
please help me to solve this.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
what are network resources you have? can you explain your present infrastructure?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
actually here we are using some customized applications. so i cant use proxy. the only way i have through group policies in the domain.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Azhrei1,
DNS redirection (make fake DNS entries, no user filtering possible though)
how to do this DNS redirection?
i cant use proxy servers in my organization. i have to do with the group policies only.
is there any relation with the browser's version (IE) and group policies. i mean in our organization we have 2000, xp. vista clients. in 2000 i can use only IE6 and in remaining clients i am using IE7 and in server i am using IE8.
please help me.
DNS redirection (make fake DNS entries, no user filtering possible though)
how to do this DNS redirection?
i cant use proxy servers in my organization. i have to do with the group policies only.
is there any relation with the browser's version (IE) and group policies. i mean in our organization we have 2000, xp. vista clients. in 2000 i can use only IE6 and in remaining clients i am using IE7 and in server i am using IE8.
please help me.
Hi Ramacha,
If you use a group policy and specify browser settings, they will apply to all versions of Internet Explorer, for all clients. There are some minor settings that older browser might not use, but they don't apply to url blocking.
As for your DNS, you can add websites you don't want users to visit to your DNS server, and specify an internal IP, for example of the DNS server itself, and then put a small html page in it's IIS webroot (or any other webserver you have/make), saying something like 'blocked by administrator'. Even better would be '404 Page unavailable' so they don't know you're blocking them.
Make sure you specify in your firewall that your users are not allowed to use other ports than 80 and 443 or they could circumvent your security by using a proxy server outside your network. Secondly you want to block DNS traffic from the outside to your local workstations as well, as they could circumvent by using another DNS server. This of course depends on the knowledge and skill of your users...the average user has no clue how to circumvent a fake dns entry.
If you use a group policy and specify browser settings, they will apply to all versions of Internet Explorer, for all clients. There are some minor settings that older browser might not use, but they don't apply to url blocking.
As for your DNS, you can add websites you don't want users to visit to your DNS server, and specify an internal IP, for example of the DNS server itself, and then put a small html page in it's IIS webroot (or any other webserver you have/make), saying something like 'blocked by administrator'. Even better would be '404 Page unavailable' so they don't know you're blocking them.
Make sure you specify in your firewall that your users are not allowed to use other ports than 80 and 443 or they could circumvent your security by using a proxy server outside your network. Secondly you want to block DNS traffic from the outside to your local workstations as well, as they could circumvent by using another DNS server. This of course depends on the knowledge and skill of your users...the average user has no clue how to circumvent a fake dns entry.
ASKER
hi azhrei1,
can you tell me how to apply these settings and where i have to apply in DNS server.
can you tell me how to apply these settings and where i have to apply in DNS server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't know Ramachan, what kind of DNS server do you have? Windows 2003/2008?
ASKER
windows server 2003 r2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The other browsers will ignore the group policy and will work fine. Your only alternatives are (pick one):
-3rd party software on the clients
-DNS redirection (make fake DNS entries, no user filtering possible though)
-Microsoft ISA server (firewall and proxy that will allow this and more in detail)
Some other 3rd party firewall/proxy appliances (some hardware some are software) will also do the job.