GPO to Block Internet use by PC - -NOT by User
Posted on 2012-09-20
We are trying to block a group of PCs from accessing the Internet using a GPO.
This is a group of PC in a laboratory, where each user (30+) has both a PC at their desk, and logs onto the PCs in the lab using their own personal credentials.
So when the users log onto their PCs at their desks, they must have Internet Access.
When they log on to the PCs in the lab using the same credentials, we need the use of Internet Explorer blocked entirely.
This is a Server 2003 Domain, all clients are Win XP Pro/Win-7 Pro.
We've created an OU called "No Internet" and moved all of the PCs in the lab that we need Internet connections blocked form the default "Computers" OU to this new "No Internet" OU.
We tried linking a GPO to that "No Internet" OU (a GPO called "No Internet Sec" ) and configuring the policy User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings ... and setting the proxy IP to a loop-back of 127.0.0.1
We also removed the group "Authenticated Users" from the Security Filtering list of the GPO. When the GPO proved invective we added each PC in the OU "No Internet" to the Security Filtering list explicitly. Still no go.
I've used this method to block Users from accessing IE from Thin Clients before. But that's applying a GPO to a user account and always works perfectly well. But applying the GPO to a group of PCs in an OU appears to be a problem.
The issue is, that we can't have the GPO affecting the users' accounts when they log onto their desk PCs.
Anyone have a solution to this?
They lab PCs are also getting their IPs through DHCP (not statically assigned) or I suppose we could block them getting out over HTTP/HTTPS at the firewall (a SonicWall TZ-210)
Anyone have an idea on this?