Grou policy not appyling on one of the computer in domain

How does your policy block internet access?  Have you seen the user at Z machine access the internet - what program were they using?

at the machine do a gpresult command and see which policies are being applied.  If your policy is a user policy then logon as the suspected user account.

Also, try and see if they are logging into a local machine account?

gpupdate /force will do a manual policy refresh.  I have seen some machines get 'stuck' and a gpupdate fixes things.

Any event log errors on the PC related to GPO processing?

Lastly, you could remove the PC from the domain and re-add it again and see if that resolves the problem.

Are they local admins? Maybe editing the registry to bypass the policies restricting the access?

What do you mean by how does ur ploicy blocks internet. there are certain users who r under a policy who have access to few things only...  and no need to mention these users are having acces to internet where they shud not be able to. I have accessed internet personally from that machine. no they r not logging in to local account, they r logging in to domain.  
gpupdate /force
remove the PC from the domain and re-add it again both done before. changed the PC name and removed it from active directory and then re added. but still no good.
One more thing i would like to add over here, it is only 3 machines out of 12 from where this internet access is working. there is only one user ID we use to login for all the users which is user ID X for all the 12 machines. and internet is working on 3 machines out of 12. rest 9 are still restricted.  
Any solution ???????

Are these machines in a differnet OU in Active Directory? Could be the Policy is not the same for these as the other 9.

what about gpresult  ?  does is show that the relevant policy is being applied on the problem machines?

any errors in the Event Logs?

Are they using a proxy setting in IE to bypass your internet access restriction method?

What do you mean by how does ur ploicy blocks internet.

It's a simple question.  Which specific settings in the Group Policy do you use to prevent access to the internet for these machines?  there is no Group Policy setting 'Prevent Internet Access except for our Webmail', so you must be using some combination of settings to enforce this.  You tell us what these settings are and we'll tell you why they're not working.

@KevSta: No they are in same OU and all the 12 machines are in same GP. just to let you know 3 years it was working fine but now all of a sudden i m facing tis problem.
@johnb6767:they r not local admins
@chakko: I have attached the GPresult and error log as well of that machine. No they are not using any proxy as they do not have access to connection tab to internet option.
@marcustech:I have attached image file of GP for those machine.
 GP-RESULT.txt
event.txt

Have you changed a Switch recently or changed the config on an existing switch. Have you checked the network setting of the machine ipconfig /all? Just to make sure they are using the same gateway etc.

No i haven't changed the switch.. and i have checked ipconfig /all... they all have d same gateway and there is no difference in the network settings from other machines.

OK that GPresult isn't very informative.  You will need to log in as the user in question and run gpresult with the /v (verbose) switch.  Are the group policy items you've configured part of your default domain policy or in a seperate policy?  Is it possible that the users are using an alternate browser to Internet Explorer to access the internet?

Yes its a part of my default domain policy. no they are not using alternate browser it is internet explorer. i have attached two files. gpresult /v and gpresult z. pls help.
gpresultv.txt
gpresultz.txt

Any resolution Master marcustech, the way u were asking question, it sounded like u will solve the problem once i provide u with details...

Well one way a user could bypass this restriction would be to set up a proxy server proxying http on port 1001 and then add a HOSTS entry for NOACCESS = my personal proxy server.  Could you change the proxy to 127.0.0.1 instead of NOACCESS?  I doubt that that is the cause of your problems though.

How do you know that users are accessing the internet on these machines?

Also your group policy screenshot shows all protocols proxied to NOACCESS, but the gpresult shows http only to NOACCESS and all other protocols through emirates.net.ae

also: http://technet.microsoft.com/en-us/library/cc978526.aspx

@ Marcustech:There is no way that they can set the proxy settings as the connection tab is disabled by their login.
if there is another way to do so i m nt aware of it.
How do i know if they are accessing internet, Well i am writing you this response from that machine from where internet shouldnt work but it is working.
I can format the computer but i want to find out the cause that how did it happen. so if anyone knows anything pls let me know.

Please try these things.

ping noaccess

any response?  if yes, what is it.

ping 8.8.8.8

any repsonse?  what is it.

ping www.whatismyipaddress.com

any repsonse?  does it resolve to an IP (something like 140.239.x.x)

From Internet Explorer go to:    www.whatismyipaddress.com

then from another computer which can access the internet, try the same URL above and compare the IP address reported.  Are they the same or different?  Does it show any proxy info?

mohsin 24, you missed my point.  Currently they should be proxying through NOACCESS, which I presume doesn't exist.  All they have to do is make NOACCESS resolve to a proxy server of their choice.  Therefore, test with the proxy set to 127.0.0.1.

You can see if you are going through any proxy by going to this site: http://www.lagado.com/proxy-test

@ Marcustech:There is no way that they can set the proxy settings as the connection tab is disabled by their login.
if there is another way to do so i m nt aware of it.

If they have access to Regedit, or CMD.exe, they can change the proxy setttings there....

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

By default they have Full Control of their reg hvie (bout 95% of it) even as a limited user....

The connection tab is greyed out.  They have proxy set as http proxy through 'NOACCESS'.  So they could potentially rig the DNS or the HOSTS so that 'NOACCESS' resolves to an existing proxy of their choice.

I'm not suggesting that they are doing this, but it's possible.

@johnb6767:

ping noaccess : No reply

ping 8.8.8.8: Yes there is a reply but i dont know what is it. i tried using nbtstat –a ipaddress command but it says host could not be found.

ping www.whatismyipaddress.com: No reply yes it resolves to 67.203.X.X
Visits www.whatismyipaddress.com and give my public IP which is 84.255.X.X

then from another computer which can access the internet, try the same URL above and compare the IP address reported.  Are they the same or different?  Does it show any proxy info?: No there is no proxy info:
There is no difference except for the IP address and which is obvious as it is two different machine.

@johnb6767:No they do not have access to cmd or regedit. the command prompt window is also disabled. and even if they create a X.bat file, cmd prompt opens and as soon as u press any key from keyboard the cmd  window vanishes due to policy restriction.
I tried http://www.lagado.com/proxy-test. it says it is not coming from proxy server.
I cannot set the proxy to 127.0.0.1. as it blocks my internal mail for them.

if anyone wants to access that computer pls write me on zullu_20@yahoo.com

mohsin24, I would strongly advise against soliciting remote access support in a public forum.  Anyone could email you claiming to be a top Expert.

You should be able to set the proxy to 127.0.0.1 and leave the settings 'do not use proxy for: xxx, xxx, xxx '  and 'do not use a proxy for intranet'

You say that when you ping NOACCESS you get no reply.  Does it resolve to an IP?

@ marcustech: First of all i cannot set proxy through this login as the connection tab is disabled, i will have to login thru admin to change that and if i do that with admin it will only restrict me through that login. once again when i login with the problematic user log in it will be able to browse internet. so ur trick works but not for this login where  connection tab is disable. or if there is other way to do so pls tell me i will try that as well.

NO it didnt ping neither it resolved NOACCESS

I meant you could change the proxy set by group policy to 127.0.0.1 instead of NOACCESS.  However since the group policy isn't applying properly at the moment, this is a moot point.

In the gpresult we see this section:

        Internet Explorer Connection
        ----------------------------
            HTTP Proxy Server:   NOACCESS:1001
            Secure Proxy Server: emirates.net.ae:1001
            FTP Proxy Server:    emirates.net.ae:1001
            Gopher Proxy Server: emirates.net.ae:1001
            Socks Proxy Server:  emirates.net.ae:1001
            Auto Config Enable:  No
            Enable Proxy:        Yes
            Use same Proxy:      Yes

Are the emirates.net.ae proxies configured in the other GP which was applied, GP-POS?  Also in the gpresult files the 'Group Policy was applied from:...'   is blank - did you redact the name of the DC from here?

Yes thats the point, how come GP is working on other computer and not on this computer. i repeat once again i have 12 machines out of which 8 machines work fine and 4 machines has access to internet and all the machines login with one user from which there is no access to internet. except for these problematic 4 machine.
I really feel that applying the new proxy setting on group policy will just wont work as you said the group policy is not applying properly at the moment and secondly why this policy is not allowing the other four machine to access internet. so i really doubt that changing the proxy from group policy is the culprit. as the problem seems to be in the machine. i feel that someone is fidgeting  around with the computer.
I can format the machine  but m a bit scared that what if i format the machine and that culprit changes the settings once again.... there is access to internet.

Yes i have edited the information from DC just to hide the identity

Where are the client machines acquiring the emirates.net.ae proxies from?  Can you set up a test gpo for this machine with the connections tab available so you can check what ie is applying?  What version of ie - you can download the .adm files and see if this helps?  I can only find the ones for 7 or 9 at the moment, give me a while.  Also, you might as well reset the TCP/IP stack ( netsh int ipreset c:\ipresetlog.txt ) and run gpupdate /f, then test.

Surprise Surprise.. I deleted the profile and logged in with the same login ID and internet is not working now.. but u never know for how long.. i hope they dont get it back....  

Deleting the profile and logging in once again solved my problem.. thank you my friend..

Glad you got it fixed mohsin24.