disable internet but allow network access

[Bubba Gump]

How can I disable internet access but still allow access to network
resources for a certain user via the system itself, not on the server? I
would like to be able to easily as a local admin re-enable internet
access at any time to be able to download updates as needed.

I tried zone alarm pro but the user just right clicked it and turned it
off.

Thanks!

 

[Ted Zieglar]

Do it through the router.

 

[Malke]

How can I disable internet access but still allow access to network
resources for a certain user via the system itself, not on the server?
I would like to be able to easily as a local admin re-enable internet
access at any time to be able to download updates as needed.

I tried zone alarm pro but the user just right clicked it and turned
it off.

You didn't give us enough information about the system and the network
to help you. What version of XP is on the workstation, Pro or Home? Is
the workstation a member of a domain?

By "allow access to network resources" I assume that you mean lan
traffic is permitted this user but not Internet access.

In a very general sense you can create a user account that is locked
down with permissions/restrictions and then just log on with an
unrestricted administrator account to do updates, maintenance, etc.

Answer the questions in paragraph one to get focused suggestions.

Malke

 

[Chad Mahoney]

How can I disable internet access but still allow access to network
resources for a certain user via the system itself, not on the server? I
would like to be able to easily as a local admin re-enable internet
access at any time to be able to download updates as needed.

I tried zone alarm pro but the user just right clicked it and turned it
off.

Thanks!

Do not put a default gateway on the machine. Or provide DNS server that
can not resolve DNS for external hosts.

 

[Bubba Gump]

I'm on a corporate network and don't have access to the router. if I
have to go through the network admins to do it, then that means I'll
have to call them anytime I want to be able to get on the web to
download updates.

Any other ideas?

Thanks!

 

[Bubba Gump]

Guess I coulda given more access.

Windows XP professional running on a university network. I need this
account to be able to access netowrk resources like folders and printers
but not be able to get to the web.

Thanks!

 

[Bubba Gump]

Great idea however this machine is getting ip configuration info from
the server.

 

[Robert Moir]

Great idea however this machine is getting ip configuration info from
the server.

Set a 'false' proxy server setting in the browser. Then if needed, lock the
machine down so the user can't change IE settings.

With respect though, this sounds like a human/policy issue rather than a
technology one, and people problems are seldom best solved by technology.
*Whatever* you do, if it isn't backed up by policy, it'll become a game
between you and the user, and regardless of the other issues, you'll both
end up wasting no end of time on this game, to the detriment of the rest of
your job.

 

[Bubba Gump]

Yep, it is a policy issue in a sense b/c university computers aren't
suppose to be used for anything but "university business" so yes,
technically, they could just be axed for doing it. however, everybody at
some point will use their work computer for personal business so the
"computer access and use policy" is a moot point as you can't allow
someone to get away with personal business and not someone else.

If there's not a windows solution, I may just put SurfControl on it and
be done with it.

 

[Chad Mahoney]

Great idea however this machine is getting ip configuration info from
the server.

Write a login script for the user. In the login script type:
route add 0.0.0.0 MASK 0.0.0.0 192.168.0.120 metric 1

where 192.168.0.120 is some bogus IP on your network that has no routing
enabled, this route is the same metric as the default gateway it may or
may not work?

When you need to access the internet type route delete 0.0.0.0 mask
0.0.0.0 192.168.0.120 metric 1

Chad

 

[Steven L Umbach]

Make sure the user you want to restrict is not a local administrator or
member of the network configuration operators group as it sounds like he is
if he can disable ZA. Then as administrator change the default gateway to be
something bogus when you do not want to have internet access and then change
it to what it should be when needed. You could automate the process with a
batch file using netsh if need be. Another possibility is to use a local
ipsec filtering policy that denies internet access that the administrator un
assigns when he needs access and then assigns again when done.

Steve

http://www.securityfocus.com/infocus/1559 -- ipsec filtering basics