Restrict access to LAN share if connected via RDP over a VPN

Daft question of the day but here goes:

We have a network share in our AD domain containing confidential data that should not be accessed outside of our office.

We have a couple of users who need access to that share as part of their role but who also need to connect remotely to their Windows 7 PC using our Windows 2008 R2 Remote Access Server by VPN and Remote Desktop Connection.

We want to prevent them accessing the confidential data share if they are connected over the VPN. Is there a way of doing that?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Assuming you mean no access to this share from the computer where they initiate this VPN connection and not remove access on the PC they're trying to remote access, as otherwise, how can do they their job?
Just make sure the VPN clients get their IP address from a pool, and have that pool input in the firewall as an exception to deny traffic (in the SMB/File Sharing rule).
You should know, information will always get out if someone really wants to, including copying the data to usb, or heck, even taking pics of their screen. That's just how life is, if you give them access, even read only, the information is already out.

If you meant, in the office they can access the share, but if they use VPN to take over their own computer, and suddenly the share should be disabled, that's a totally different story. How can they do their work even without that data? The "problem" with remote control is, that it's meant to work as if they're right there in the office.
dejectedAuthor Commented:
Thanks Kimputer

Sorry I wasn't clear - it is the second scenario. They don't always need the confidential share but they do need to remote in to perform other aspects of their roles that do not require access to that share - we do not want them remoting in to do any processing of the confidential data. This is further complicated by these users being VERY resistant to any administrative or procedural impediments to them carrying out their work.

I was thinking more along the lines of can the PC tell if it is being accessed remotely rather than physically and if so adjust gpos or login scripts so that the share doesn't appear and any means to connect to it are disabled e.g. Map Network Drive. It does sound improbable but the alternative is implementing Control 6.2.2 - Teleworking of ISO27001 - ouch!
There are no dynamic GPO's or login scripts that differentiate from login type. While Windows knows how it's logged in (see eventlog, login type 2  vs 10), there's no back and forth communication with the PC and server concerning this info. A GPO is valid or not, there's no "enable for login type 10" option.
Personally, I'd set up some more PC's (or VM's) and let them remote to there. That seems to be the easiest (thought not very cost effective) way.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Zacharia KurianAdministrator- Data Center & NetworkCommented:
You could create a separate user accounts for them with VPN/RDP access + all the other required access levels and deny access to the shares. But make sure to /restrict /adjust gpos or login scripts so that the share doesn't appear for these user accounts, when RDP/VPN.

JohnBusiness Consultant (Owner)Commented:
If the users need the share (you said so) and then they go out of the office and you do not want them to have access to the share (you said so), you need to realize they can purloin the data in the office, so protecting it out of the office is largely a waste of time. Daft - as you said so.
dejectedAuthor Commented:
Thanks all - I've marked Kimputer's  as the solution as they've confirmed that there is no way to choose gpo's or scripts or otherwise not mount/dismount the share based on type of login (physical or remote). The idea would have been if logged in remotely they don't get the confidential share but can work normally otherwise - they only use the share a couple of times per day. I think it is sledgehammer and nut time.
please note to disable sharing disks and validate that they can't copy the file from RDS and paste it on their computers
simple vpn if you have it with a different subnet then and with only routing to RDS is enabled, then they can't use windows explorer to access the paths of the shares , and only can do that within RDS
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.