GPO to Block Internet use by PC - -NOT by User

Posted on 2012-09-20
Last Modified: 2012-10-14
We are trying to block a group of PCs from accessing the Internet using a GPO.

This is a group of PC in a laboratory, where each user (30+) has both a PC at their desk, and logs onto the PCs in the lab using their own personal credentials.

So when the users log onto their PCs at their desks, they must have Internet Access.

When they log on to the PCs in the lab using the same credentials, we need the use of Internet Explorer blocked entirely.

This is a Server 2003 Domain, all clients are Win XP Pro/Win-7 Pro.

We've created an OU called "No Internet" and moved all of the PCs in the lab that we need Internet connections blocked form the default "Computers" OU to this new "No Internet" OU.

We tried linking a GPO to that "No Internet" OU (a GPO called "No Internet Sec" ) and configuring the policy User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings ... and setting the proxy IP to a loop-back of

We also removed the group "Authenticated Users" from the Security Filtering list of the GPO. When the GPO proved invective we added each PC in the OU "No Internet" to the Security Filtering list explicitly. Still no go.

I've used this method to block Users from accessing IE from Thin Clients before. But that's applying a GPO to a user account and always works perfectly well. But applying the GPO to a group of PCs in an OU appears to be a problem.

The issue is, that we can't have the GPO affecting the users' accounts when they log onto their desk PCs.

Anyone have a solution to this?

They lab PCs are also getting their IPs through DHCP (not statically assigned) or I suppose we could block them getting out over HTTP/HTTPS at the firewall (a SonicWall TZ-210)

Anyone have an idea on this?

Question by:mojopojo
    LVL 57

    Accepted Solution

    Enable a loopback group policy on that OU for the lab PCs.  More on loopback here

    When you do that those user settings should apply to any user logging into those boxes.


    LVL 18

    Expert Comment

    Thanks Mike for a very good article even I was not really sure about loopback group policy concept ...This article made me work on this

    mojopojo:- You may use the loopback processing given by mike
    LVL 3

    Author Comment

    Great article, and thanks for the link.

    I have enabled Loopback policy on the GPO linked to the OU "No Internet" and pushed the policy with gpupdate /force

    QUESTION: In the GPO "Security Filtering" do I leave or remove the AD entries for the lab PCs... AND/OR I add Authenticated Users back to that filter as is the default.
    LVL 3

    Author Comment

    Again, I just need to make sure that the settiings of the Internet restricted GPO do not backwash into the users' PCs outside of the lab.
    LVL 57

    Expert Comment

    by:Mike Kline
    You can keep the lab PCs in the filter but you are using an OU for the lab PCs so adding authenticated users would mean that the policy applies to all machines in that OU which is what you want...I'd do that.


    LVL 3

    Author Closing Comment

    Perfect. Thanks.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Wish Marketing would stop bothering you?

    Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now