Restrict DNS usage

[Jeff Mackeny]

I have a simple AD/DNS configuration for this one client, they have one 2k
box and 45 workstations, I have configured forwarding within DNS to the
ISP's name server and enabled routing, all workstations use the 2k box for
name resolution and internet access (they DG to the 2k box), all IP info
are received Via DHCP. The question is, I would like to restrict certain
users from accessing the internet, they need DNS for name resolution in the
LAN but how do I stop DNS from forwarding internet traffic for those users,
I tried to remove the DG on those machines and then created a new OU moved
all the restricted users, created a GPO that will restrict them from
accessing the LAN properties, the problem is that some users are a member of
the local administrator group (a requirement of one of the apps the company
uses), in other words the domain user is a member of the administrator group
from the local machine, and while that in place, the GPO was not applied for
those users, so how do I go about this, or what other options do I have?

Thanks

 

[Michael Holzemer]

Disable the DNS client service on their machines. Maybe they will not
notice. Netbios will be ok for browsing in a small network like this. Kinda
sneaky but...

 

[Kevin D. Goodknecht Sr. [MVP]]

In Jeff Mackeny <[email protected]>
posted their concerrns,
Then Kevin D4Dad added his reply at the bottom.

I have a simple AD/DNS configuration for this one client, they have
one 2k box and 45 workstations, I have configured forwarding within
DNS to the ISP's name server and enabled routing, all workstations
use the 2k box for name resolution and internet access (they DG to
the 2k box), all IP info are received Via DHCP. The question is, I
would like to restrict certain users from accessing the internet,
they need DNS for name resolution in the LAN but how do I stop DNS
from forwarding internet traffic for those users, I tried to remove
the DG on those machines and then created a new OU moved all the
restricted users, created a GPO that will restrict them from
accessing the LAN properties, the problem is that some users are a
member of the local administrator group (a requirement of one of the
apps the company uses), in other words the domain user is a member of
the administrator group from the local machine, and while that in
place, the GPO was not applied for those users, so how do I go about
this, or what other options do I have?

Thanks

Use your group policy to assign a bogus proxy for all internet protocols
then hide the connections page in the policy, too.
Then nobody in the OU can access the internet because of the bogus proxy.
It won't matter if they are local admins if you select the no over ride on
the policy.
I don't this to keep my users using the correct proxy with filtering, all of
these users are local admins on their machines for the same reason some apps
require local admin rights.