Blocking all Internet access for a specific Domain user on Windows 2008R2 domain.

shaw71
shaw71 used Ask the Experts™
on
I have a domain controlled by a Windows 2008R2 server.  All users log into the domain utilizing Active Directories.  We also have an Exchange server and a Remote Desktop Server. All servers on the Domain utilize domain controller for authentication...etc.

I have a user that is utilizing a PC workstation as well as a Remote Desktop session on the Remote Desktop Server.

I have been able to block his PC workstation from accessing the Internet via the firewall.  I would like to take it a step further and block this domain user from accessing the Internet whether he signs onto remote desktop server or another PC on the domain.  

This user is to be allowed normal privileges on the LAN network.  File share, Remote Desktop Services, and Exchange.

I am assuming I would adjust group policies on the server.  Can this be done through group policies and if so, where would I adjust this?

Thank you
Shawn
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If other users also need to retain web access while in a RDP session, you will probably need to create a GPO and assign it to that one user to block outbound access while in an RDP session.
Senior Active Directory Engineer
Top Expert 2012
Commented:
I would try with GPO with User configuration settings and apply GPO Security Filtering to apply it only to this user.

GPO will set up proxy to 127.0.0.1

User Configuration -> Policies -> Windows Settings -> Internet Explorer Maintenance -> Connection

and set up there PROXY settings. Put there 127.0.0.1

after that configure GPO Security Filtering for that user and apply GPO to OU where it is located
http://www.windowsnetworking.com/articles_tutorials/group-policy-security-filtering.html

Regards,
Krzysztof

Author

Commented:
Krzysztof,

I went into the MMC and pulled up the Group Policy Object editor which edits the Local Group Policy Objects. I found where I can enter in the Proxy settings.  My concern at this point is that this is a global change not a user change.  Can you confirm that I am in the correct location for the 127.0.0.1 implementation section of your instruction?

Thanks!
Shawn

ps the screen shot is attached.
GPO.JPG
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
Yes, this is global change for local machine. Is that domain environment ? If so, you need to create GPO and apply GPO Security filtering.

To create GPO you need to use GPMC or Active Directory Users and Computers consoles.

If you're interested, I can prepare a short guide for you

Krzysztof

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial