GPO to Block Internet use by PC - -NOT by User

Posted on 2012-09-20
Medium Priority
Last Modified: 2012-10-14
We are trying to block a group of PCs from accessing the Internet using a GPO.

This is a group of PC in a laboratory, where each user (30+) has both a PC at their desk, and logs onto the PCs in the lab using their own personal credentials.

So when the users log onto their PCs at their desks, they must have Internet Access.

When they log on to the PCs in the lab using the same credentials, we need the use of Internet Explorer blocked entirely.

This is a Server 2003 Domain, all clients are Win XP Pro/Win-7 Pro.

We've created an OU called "No Internet" and moved all of the PCs in the lab that we need Internet connections blocked form the default "Computers" OU to this new "No Internet" OU.

We tried linking a GPO to that "No Internet" OU (a GPO called "No Internet Sec" ) and configuring the policy User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings ... and setting the proxy IP to a loop-back of

We also removed the group "Authenticated Users" from the Security Filtering list of the GPO. When the GPO proved invective we added each PC in the OU "No Internet" to the Security Filtering list explicitly. Still no go.

I've used this method to block Users from accessing IE from Thin Clients before. But that's applying a GPO to a user account and always works perfectly well. But applying the GPO to a group of PCs in an OU appears to be a problem.

The issue is, that we can't have the GPO affecting the users' accounts when they log onto their desk PCs.

Anyone have a solution to this?

They lab PCs are also getting their IPs through DHCP (not statically assigned) or I suppose we could block them getting out over HTTP/HTTPS at the firewall (a SonicWall TZ-210)

Anyone have an idea on this?

Question by:mojopojo
  • 3
  • 2
LVL 57

Accepted Solution

Mike Kline earned 2000 total points
ID: 38418388
Enable a loopback group policy on that OU for the lab PCs.  More on loopback here


When you do that those user settings should apply to any user logging into those boxes.


LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38418867
Thanks Mike for a very good article even I was not really sure about loopback group policy concept ...This article made me work on this

mojopojo:- You may use the loopback processing given by mike

Author Comment

ID: 38419060
Great article, and thanks for the link.

I have enabled Loopback policy on the GPO linked to the OU "No Internet" and pushed the policy with gpupdate /force

QUESTION: In the GPO "Security Filtering" do I leave or remove the AD entries for the lab PCs... AND/OR ...do I add Authenticated Users back to that filter as is the default.
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!


Author Comment

ID: 38419213
Again, I just need to make sure that the settiings of the Internet restricted GPO do not backwash into the users' PCs outside of the lab.
LVL 57

Expert Comment

by:Mike Kline
ID: 38420094
You can keep the lab PCs in the filter but you are using an OU for the lab PCs so adding authenticated users would mean that the policy applies to all machines in that OU which is what you want...I'd do that.



Author Closing Comment

ID: 38495070
Perfect. Thanks.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question