Prevent surfing

thedslguy
thedslguy used Ask the Experts™
on
Hello Experts

This question involves two Windows 7Pro machines.  I need to (probably) set a group policy to prevent users from surfing the web.  I looked at gpedit, but under user configuration there is no Internet Explorer Maintenance.  Plus, the two machines that we need to block also have Chrome installed.

Any help with making this happen?

Thanks

thedslguy
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
look further down for internet explorer Group Policy IEUser Configuration/Preferences/Control Panel Settings/Internet Settings, set your proxy settings, it is is incorrect no surfing.
Chrome has group policy https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
thedslguyComputer and Network Consultant

Author

Commented:
David Johnson, CD, MVP:

Preferences isn't there.  I looked at several other Windows 7 machines and didn't find preferences or Interfnet Explorer.  I even looked on a domain server for another client and didn't see Preferences or Internet Explorer there, either.  I sent a screenshot.

Thanks

tdg
screenshot.jpg
Top Expert 2016

Commented:
you have to go to each machine and set the options manually and run the user as a standard user.
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

thedslguyComputer and Network Consultant

Author

Commented:
David Johnson, CD, MVP:

As you can see from the screenshot, I don't have Preferences in the list.  So, how do I set the options manually?

Also, will this affect the administrative accounts, or just the standard users?

Thanks

tdg
Top Expert 2016

Commented:
you have to go into the users control panel internet options
SteveArchitect/Designer

Commented:
It's worth checking we have fully understood your requirement as many suggestions could have other implications.

Are the users allowed any external access, other than web browsing?
Do you have any internal websites/intranets that need to continue working?
Are they laptops that should be permanently blocked from browsing, or should they be able to when used out of the office?
Is this all users, or just a specific 2?

It's also worth asking the question, why do you want to block them?
thedslguyComputer and Network Consultant

Author

Commented:
Steve:

Users will have no other access.  They can use the POS Software that is installed on the machine, but they do not require Internet access for this purpose.

There are no internal websites/intranets involved.

They are desktops.

Blocking is specific to all users of the one standard account.  Administrators will still have access.

There have been problems in the past with users surfing the net instead of working.  The owners requested that they be blocked from this practice as it is too hard to police as is.  Surfing the web is not necessary to do their jobs.

Thanks

tdg
Top Expert 2016

Commented:
you can always uninstall internet explorer and any other web browser
SteveArchitect/Designer

Commented:
Great info. Thanks @thedslguy.

In that case you have a few options worth considering.

Your internet routers could be set to block all internet traffic from everything but the server (and anything else you feel needs internet access)
You could limit this block to ports 80 & 443 if you only wanted to block general surfing but allow other stuff
you could change your DHCP (or static IPs) to not supply these machines with a default gateway (as this would prevent any non-subnet traffic)
You could put a fake DNS on the machines, but this could affect internal systems if DNS is required internally
you could mess with Internet explorer (uninstall, set a fake proxy, disable in group policy, but this can be bypassed if people have admin rights

As an alternative consideration however, many companies choose not to block/limit the access, but merely monitor it. While this doesn't stop unauthorised access it lets you report and prove it is occurring, which can be used in reviews/disciplinary sessions to deal with the root cause of not actually doing the work required of the end-users role.
thedslguyComputer and Network Consultant

Author

Commented:
Steve

Your suggestions are all on the Windows level.  They would block access for admins as well.  I just need to block the one profile.  That profile is a Standard User.

David Johnson, CD, MVP

This, too would affect the admin's access.

Thanks anyway
SteveArchitect/Designer

Commented:
ok, must have missed you mention that.
what you need is getting increasingly complicated. you may need to consider a proper web filtering solution that can be user-specific but this usually has a cost associated.
thedslguyComputer and Network Consultant

Author

Commented:
Steve

What sort of cost?  

I tried removing permissions but Windows would not allow that, even from the administrator profile.  Group Policy doesn't address it in a Workgroup.

Is this even doable?

Thanks

tdg
Top Expert 2016
Commented:
uninstall google chrome
go the internet explorer folder
c:\program files\internet explorer
right click on internet explorer go to properties/security
take ownership of  iexplore.exe
remove users from read and read/execute
add any specific user that needs access read and read/execute
thedslguyComputer and Network Consultant

Author

Commented:
David Johnson, CD, MVP:

Thanks for the suggestion to take ownership.  I hadn't thought of that, but it worked.  

Thank you again,

thedslguy

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial