Block all network shares and internal websites to a specific domain user

I have to set up a domain account to be used by visitors to site. This account is to be allowed access to ONE website only - an external website. This account should not be able to access any internal websites or shared network resources.

Using the hardware firewall, I've been able to block access to all but this one external websites, but using group policies, how do I deny all internal websites and network resources to this account (so that shares aren't even seen on the network)?

LVL 17
Chris MillardAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

using group policies, how do I deny all internal websites and network resources to this account (so that shares aren't even seen on the network)?
This isn't really the domain of Group Policy to achieve, but security permissions via Access Control Lists (ACLs).

Security permissions on the shares should be configured to prevent the user account gaining access. This is easy if you follow the principle of least privilege, since you simply don't grant the user membership of the groups which grant access to each share.

The internal websites are harder. If they use authentication, configure that authentication such that the user is denied access. However, if they do not use authentication, you could use Group Policy to lock down e.g. Internet Explorer to make such sites restricted, but this is not without flaws, because the user could easily bring their browser (such as on a USB stick) and bypass the restrictions.

A better approach would be to avoid using the machine to provide any security, and instead configure this in the network. Since no internal resources are required at all, I would jail the machine into a VLAN with no other machines and from which you can firewall the traffic such that no access to internal machines is permitted. If the machine must be domain joined, you can open minimal firewall ports for communication with the DCs, and no more.
Chris MillardAuthor Commented:
The problem here is that the user cannot be restricted to any particular PC. This "generic" account that I have to create is for use by any contractors and visitors, and needs to be able to access an external health and safety reporting website from any PC connected to the domain.
Ah - sorry, for some reason I got the impression this was a single account on a single PC (my bad, apologies).

The VLAN approach could still work there, but it would require you to deploy a RADIUS server and dynamic VLAN control on your switches, such that each machine flips into the "restricted" VLAN when that particular user authenticates and RADIUS returns the restricted VLAN to the switch -- not ideal and certainly an over complication for this use case (if you even have the networking hardware capable of doing this).

Shares are still managed by user privilege, not the computer used to access them, so the ACLs on shares is certainly still the proper way to go in that regard.

GPO is not the ideal way to control the internal website issue, due to the workarounds I described in my previous post such as the user using a different browser.
What are the nature of the internal websites? If they don't require authentication, there is little you can do. machine-wise which is 100% bulletproof. Using GP, you could force all traffic from the user through a proxy server, including traffic to local sites (and lock the proxy settings down), and have the proxy filter traffic such that only accesses to that one external site are permitted; the free Squid proxy would serve you well here. It doesn't account for a user who can bypass proxy settings with their own application, but that's always going to be an inevitability if the local websites require no authentication and there are no controls in-the-network-itself to prevent this.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Chris MillardAuthor Commented:
I'm still in discussions with the customer about the best way forward with this.
Thanks for the update. What are your current thoughts?
Chris MillardAuthor Commented:
The customer has decided to live with the situation as it is. I have given him an idea of the amount of time and work involved in locking everything down for one specific user, and he does not want to go ahead!
Chris MillardAuthor Commented:
Not really a workable solution in my case, but gave me enough information to pass back to my customer.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.