Allowing intranet access while blocking internet access (web access) for a few users

We need to block internet and still allow intranet access (web access). Any suggestion on how to configure GPO?
llaravaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You could create a GPO for IE where it will add suffix for your domain to Intranet sites (ie *.domain.local), do not use proxy for intranet zones and add a fictitious IP address for Proxy server.  

Another option would be to deploy a real proxy server and you could use Untangle or Squid.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aroddickCommented:
I know this isn't what you asked but you'll have a much easier time doing this on the firewall if you have a business or enterprise grade firewall. Messing with IE proxy settings via GPO is going to be a nightmare. As soon as your users take their laptops home or something you're going to get phone calls asking why they can't get to the Internet.

Alternatively, just disconnect your internet and have the most secure network possible all while saving some money :P (kidding, of course).

Out of curiosity, what is the business requirement or motivation for what you're trying to achieve?
llaravaAuthor Commented:
Not laptops, just a a few desktops located in the factory not the office. They don't want the users to be able to hit the internet but they want them to be able to access the intranet. I can't use the firewall they are DHCP.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

aroddickCommented:
Yeah I see, tricky one. I can't think of a clean way to do it in GPO. Maybe someone else will have some suggestions.

You might be able to finaggle the hosts file and push that out via GPO again though, that's getting pretty messy.

If your intranet is on the same subnet as your Intranet servers you could remove the Default Gateway from the PCs.

If the subnets are separate, you could remove the Default Gateway from the PCs and put a static route on the PCs to your servers subnet (would have to be a GPO login script I think).

Personally I'd be pushing for DHCP reservations and firewall rules - it's going to be clean and is properly secure, you don't ever have to touch the PCs then either.

Good luck :)
llaravaAuthor Commented:
I just found this article http://windowsitpro.com/networking/configuring-intranet-access-without-giving-internet-access - This might work!

Mohammed Khawaja - can you please give me more detail about the configuration that you are suggesting?
Mark LebowitzCommented:
I don't know how to do this using GPO, but it could be done fairly easily using your DHCP server and firewall, especially if you have a Windows server providing both of those functions.

In the DHCP server, create reservations for the computers that you want to block from web access, so they always get the same IP addresses. The second step will be easier if you make those IP addresses contiguous, e.g., 192.168.1.110, 192.168.1.111 and 192.168.1.112.

Then, in the firewall, block the http and https services for those IP addresses.

I realize that I've described these steps in very general terms. If you post back with exactly what you're using for your hardware and software, I may be able to offer more detail.
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Depending on the version of IE you have, you may need to download the IE ADM files for your GPO and then you create a GPO shown as before:

ie-proxy.png
Below is a link for the latest IE Administrative Templates:

https://www.microsoft.com/en-ca/download/details.aspx?id=40905
https://msdn.microsoft.com/en-us/library/dn338142.aspx
llaravaAuthor Commented:
This did the trick! http://windowsitpro.com/networking/configuring-intranet-access-without-giving-internet-access but the other ideas were also very good.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.