Blocking all browsers for some users on a terminal server.


I administer a site where most users run sessions on one of 3, 64 bit W2008 Terminal servers. The site has a domain and each user their own AD account.

Management have requested that I block internet access for a some users, for IE, Chrome, Firefox and any other browsers they may be able to install. (User are NOT local admins, however, a few browsers, including Chrome allow a dodgy non-admin install.) The previous admin had written a GPO to misconfigure the browser proxy, but it does not work with newer versions on IE, and  of course does nothing for 3rd party browsers.

Does anyone have any idea how this can be done? It would be easy on individual workstations, but this being terminal server sessions, I can't figure out how to get it happening.
LVL 22
Mal OsborneAlpha GeekAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
easiest way is to remove the gateway.
Mal OsborneAlpha GeekAuthor Commented:
This is a TERMINAL SERVER with MULTIPLE USERS.  They all have the same gateway.
David Johnson, CD, MVPOwnerCommented:
a gateway is only used to go to sites not in the local network.
The problem is that you need user based restriction.
The easiest way would be if you have AD aware firewall and you block traffic over ports 80 and 443 for certain users.
I doubt that if is it possible to do the same thing on the local firewall. I think the settings are the same for all users.
Then you have the option to block that users from running browsers exe files (like iexplore.exe, firefox.exe, chrome.exe,...). But they still try to rename that files and even if you remove them permissions to do so, they can get portable browsers on usb drive. I can not remember if I have used any other settings except proxy settings and limiting access to browsers in a similar situation i had.
Do they need to access the terminal server desktop or they run just one application?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The local firewall is the way to go. It can block traffic based on user accounts.
A second possible way is to use applocker and setup application whitelists but applocker is not available in 2008, only starting with 2008 R2. Or is it R2?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.