Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Block Internet Access, Allow Intranet, No Proxy Server

Posted on 2013-01-24
7
3,461 Views
Last Modified: 2013-01-24
Hello

I'm currently working with a company to change their group policy.

They have a group policy that sets a proxy server address off 0.0.0.0

The GP is then assigned to an OU and any user in that OU gets the proxy address and is therefore unable to access the Internet.

Now, we have a new Intranet system but because the vast majority of users have the above proxy set, they are unable to access the Intranet.

What is the best way of allowing access to the intranet, but still blocking Internet Access?

The company does not have a proxy server

Thanks in advance
0
Comment
Question by:Wolf
7 Comments
 
LVL 13

Expert Comment

by:Alexios
ID: 38814173
Hello
Fix the GP so everyone have access and from your DHCP server publish only the subnet and DNS server. Do not publish the gateway
0
 
LVL 1

Author Comment

by:Wolf
ID: 38814227
But wouldn't that then block Internet for every user?

For instance the GPO isn't applied to one OU, which contains managers, and they are allowed Internet access
0
 
LVL 17

Expert Comment

by:aflockhart
ID: 38814238
If everything including the intranet web server is on the same subnet , and you don;t need to route any IP traffic to other sites, you could set all the client computers to have no default gateway ( or set it to an IP address that doesn't exist).  They would still be able to communicate on the local subnet but not beyond.

Then you don't need to set up any proxy server settings.

EDIT - re your comment above: if you want the managers to have different behaviour they would need to have either different IP configuration (such as pointing to a real default gateway) or different browser behaviour ( either them or the other staff pointing to a proxy server address).  Depending on how many managers there are, you may be able to set up fixed IP info for them, or maybe a DHCP scope with different options and with reserved IP addresses for these computers.  

Or the managers could run a script which adds (manually) an IP route to the internet, pointing at the default gateway.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 13

Expert Comment

by:Alexios
ID: 38814302
In addition with my answer aflockhart's suggestion is correct

Further on that the best solution will be a UTM device but with a cost of course...
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 500 total points
ID: 38814610
All you need to do is add the sites that you want to allow to the Proxy Exception list

proxy
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 38815228
dstewartjr's suggestion is the way to do it.
0
 
LVL 1

Author Closing Comment

by:Wolf
ID: 38817457
This was exactly what I needed, and so simple!

Thanks very much
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question