Blocking Internet Access to Users using Active Directory

[Guest]

Hi, I have being trying to block internet access to users by the means of
active directory but was not successful.
If someone can help me, i need to allow certain users to have full internet
access, and other users allow certain webpages to be viewed. I know that
active directory by using group policies is able to do it, but cannot find my
way around it.
So ie.
- user 'A' with full access
- user 'B' access to www.microsoft.com only

How to do this. Thank you very much for your help. I am learning, and want
to learn more and more.
Good luck,
Sebastian

 

[Herb Martin]

Hi, I have being trying to block internet access to users by the means of
active directory but was not successful.

Well, you cannot literally do that with any
degree of ease.

This is a job for a tool like ISA (Proxy Server)

In theory you could block access to the browser or
setup IPSec but even that is not precisely what you
suggest since IPSec would be by Computer not
by user.

If someone can help me, i need to allow certain users to have full internet
access, and other users allow certain webpages to be viewed. I know that
active directory by using group policies is able to do it, but cannot find my
way around it.

ISA -- can use Users and Groups to control access on
the basis of such things.

 

[Guest]

Herb Thanx for the response, but I was looking for a way in doing this
without having to purchase the ISA server.

 

[Ryan Hanisco]

Sebtarta,

You are looking trying to get windows to do something that it wasn't
designed for. You can configure a GPO that will not allow iexplore.exe to
load.. or netscape, etc. The deal is that other browsers will come around
and the executables can be renamed or repackaged.

You really need something working at a lower level to filter that. Things
like ISA work well though I would suggest something like WebSense. You can
attach that at your firewall or caching appliance and get things at that
level -- for under $40 a user.

Otherwise, there is no "real" way to prevent that.

 

[Herb Martin]

Herb Thanx for the response, but I was looking for a way in doing this
without having to purchase the ISA server.

If you don't have enough users to justify the cost
of ISA, you probably should just TELL them where
they are allowed to visit or buy them some kind
of children's NANNY software for the individual
workstations.

 

[DM]

Cheapest solution:
You could set up a linux machine running squid for free, and depending on
how many users, you could probably pull a machine out of the trash for this.
Then assign GPs for those users to use that proxy server, configure the ACLs
for squid for what you need, and your done.

-Dustin

 

[Cary Shultz [A.D. MVP]]

Sebastian,

One way - since you have stated that it is a user side thing in your
environment - is that you can assign a fake proxy address via GPO and remove
the affected users ability to change this. So, if your network is
192.168.1.x then you could supply the Proxy Address as an IP Address of
172.16.21.98 or whatever. These users will not be able to connect to the
Internet....

I believe that Chris has another solution.

HTH,

Cary

 

[Guest]

Yes he does!!!

-- http://www.chrisse.se/MAQB.asp?ID=17


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

 

[Kyle Gordon]

I can vouch for this method. It works wonderfully.

I put everyone in the company (about 50 users, 160 computers) through this
proxy on a 400Mhz machine. I restrict machines based on their MAC address,
but restrictions based on usernames/groups/etc could be done with winbind.
Certain domains/sites can be let through all the time, such our clients
intranet, download.windowsupdate.com for SUS, and suchlike.

Kyle

 

[Ryan Hanisco]

Sebtarta,

As ironic as it is, I had to do this exact thing today.

I Created a GPO to modify the proxy to our internal web page and applied
that to the domain allowing only certain groups to apply it (the groups to
be denied).

This redirects all web requests to the homepage giving them internal and
Intranet info, but stopping all Internet browsing from any browser.