Windows XP and blocking external Internet only

We want to prevent any XP machine at our company from hitting the internet but still allow access to internal web pages and shares.  We have a mix of XP and windows 7 machines all on one VLAN.  I really don't want to move all the XP machines to a different vlan.  If I put in a fake proxy address on these XP machines, will they still be able to hit internal web site?

Any thoughts on the easiest way to kill external internet access for just XP that doesn't require a new vlan or mods to the firewall?

Thanks - John
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

you have 2 options:

1: point the machines to a DNS server that you have on your network without Internet access.
2: setup firewall which blocks http/https traffic going out and coming in.
You could set up IP reservations for the XP machines on your DHCP server and in their options set up a dummy IP address for their gateway.
Another option is to create  a GPO and filter it by OS (or just place all XP machines in an OU), then set up a start up script to change their gateways to a dummy ip using netsh command.
andreasSystem AdminCommented:
I would laso take the dummy gateway method. But be aware that then ANY external communication is not possible anymore. e.g. the machines will not get any signature updates for AV-Products if you do not run the update server where the signatures comming from by yourself and this server is in the same VLAN as the xp machines.

If you have several internal networks that needs routing and the xp machines need access to this too, then the gateway method will not work alone, then you need to add  some static routes to the other internal networks of your company too.

You also could block external access of the IPs of the XP boxes at the companies firewall.
If there is a chance users might change IPs from xp boxes, then implement both, so if either one fails the other can prevent ugly things from happening.

Its always a good thing to have severel lines of defense when it comes to security, if possible do not rely only one one measure to achive security.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Benjamin VoglarIT ProCommented:
Do you have an External FW?
JDS42Author Commented:
Thanks everyone for the thoughts,  I am thinking that giving them all static IPs and putting in a rule at the firewall to block http traffic might be quickest and easiest route.
Benjamin VoglarIT ProCommented:
Yes I agree with you. Bot you have to know. If users have admin rights thay can change the IP address. My sugestion is dhcp reservation.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.