How to white-list internal only web access? Block external web surfing and filter pages.

We have a few machines running Win XP SP3 and Win 7 that we'd like to limit web surfing on.  
How can we best implement this?

REQUIREMENTS:

----------------------------------------------------------------------------------------------------------------------------------
Block Web:    We want to block all other external web-surfing.
Access Internal:   We need to make internally served pages available they are all on one domain.
GPO:     We'd like to apply any solution by policy applied to a single OU.
ServDeskKnowsAsked:
Who is Participating?
 
MarkieSConnect With a Mentor Commented:
Can you utilise something like PAC files or WPAD browser settings.

A PAC file or WPAD.dat like below can be used to direct and/or restrict Web browsing

function FindProxyForURL(url, host) {

// If URL has no dots in domain name, send direct.
      if (isPlainHostName(host))
            return "DIRECT";

// If URL matches, send direct.
      if (shExpMatch(url,"*domain123.com/folder/*") ||
          shExpMatch(url,"*domainXYZ.com:*/*"))                  
            return "DIRECT";


// If hostname matches, send direct.
      if (dnsDomainIs(host, "vpn.domain.com") ||
            dnsDomainIs(host, "abcdomain.com"))
            return "DIRECT";

// If hostname resolves to internal IP, send direct.
      var resolved_ip = dnsResolve(host);
      if (isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
            isInNet(resolved_ip, "172.16.0.0",  "255.240.0.0") ||
          isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
          isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
            return "DIRECT";

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
      return "PROXY PROXYSERVERNAME1:8080; PROXY PROXYSERVERNAME2:8080; DIRECT";

0
 
GoatCreekConnect With a Mentor Commented:
Set the proxy server to 127.0.0.1, bypass proxy for local adresses, add the local network to bypass the proxy server.
0
 
ServDeskKnowsAuthor Commented:
GoatCreek: I can't use the local proxy.  

That's what we've been doing, but a Citrix client application isn't able to cope with that proxy setting.  I'm looking for an alternative to that exact setup.
0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

 
GoatCreekConnect With a Mentor Commented:
You can set the proxy settings also by AD policy
0
 
pwindellConnect With a Mentor Commented:
It is no where near as complex and it is being made here.

You just set the Firewall/Proxy to just not allow certain machines to the Internet.  That's it,...Done.

Internal browsing does not go through the proxy in the first pace,..so that is irrelevant.  The whole point of a LAT (Local Address Table) on a firewall/proxy is to define the interior LAN so that the Firewall/Proxy already ignores request sent to any such destination,...so there is nothing "extra" that you have to do there.
0
 
ServDeskKnowsAuthor Commented:
Proxy works, but I was trying to avoid it.

Extra points to PAC files and a nod to Firewall configuration.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.