Deny user access to internet

[Stefan]

Hi

I have some computers on my network and one PDC, all
computers incl. server directly connected to a
switch-router which is connected to the internet.

now I wanna deny a useraccount to use the internet. but i
still wan't the user to be able to use the internal net.

how can I do this?

ps. My router is not configurable.

please help.
/Stefan

 

[Chuck]

Hi

I have some computers on my network and one PDC, all
computers incl. server directly connected to a
switch-router which is connected to the internet.

now I wanna deny a useraccount to use the internet. but i
still wan't the user to be able to use the internal net.

how can I do this?

ps. My router is not configurable.

please help.
/Stefan

What is the make and model of the router? Is it a NAT router, or do
you have a proxy server sharing the internet connection?


Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Steven L Umbach]

Configure the computer that the user is on to not have a default gateway in tcp/ip
properties. --- Steve

 

[Guest]

*s* i have to manipulate the user-account, not the computer.

Can I set up users to use different gateways maybe?

/Stefan

 

[Stefan]

All computers are connected to a switch. Then the switch is
connected to a router. The router would be of type proxy.
It separates the net 192.168.1.0 from the internet.

/Stefan

 

[Steven L Umbach]

No, you can't do that. There are third party personal firewalls such as PortsLock
that can have different configuration per user and be able to block internet access.
A less effective method might be trying to use Group Policy to issue a "bogus" proxy
server to particular users and also blocking them from access the connections
configuration page in Internet Explorer. Of course that would only be effective on
Internet Explorer. Depending on the budget I see that Dlink makes a "hot spot" device
that can control internet access by a built in user authentication database of
limited size for around $500, though I have personally not set one up but it may be
worth looking into and downloading the user manual. -- Steve

http://www.portslock.com/
http://www.dlink.com/products/?pid=173

 

[Chuck]

All computers are connected to a switch. Then the switch is
connected to a router. The router would be of type proxy.
It separates the net 192.168.1.0 from the internet.

/Stefan

Do you know the make and model number of the router?

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Rusty]

Stefan,

We have done this a couple of ways, depending on the
computer savvy of your users. If your users are like
mine - i.e., mostly computer illiterate - you can set IE
to point to a "false" proxy server. For example, if oyur
internal network is in the 10.1.1.x range with a class C
subnet, you can set the browser to use a proxy server of
10.100.1.1. Make sure you click the check box to "bypass
proxy for local addresses. This will give the user access
to internal websites but no access to sites outside the
local network (e.g., the internet.

If your users are a little more savvy, you can block
access to port 80 from the specific IP address on the
firewall. Please note, however, that if your internal
websites sit in a DMZ you will need to specifically allow
traffic to this destination. An example for a cisco PIX
firewall, where .50 is the client IP and 10.99.x.x is the
DMZ:

access-list acl_out permit tcp host 10.1.1.50 10.99.0.0
255.255.0.0
access-list acl_out deny tcp host 10.1.1.50 any

HTH!

Rusty