Restricting Internet Access for selected users

G

Guest

Restricting Internet Access for selected users

I want to prevent selected users from access the Internet (but allow local Intranet access). All the computers are Windows 2000 and the users login to a Windows 2000 server domain. I placed all the restricted user names in a separate Organization Unit and configured these Group Policy settings:

User Configuration-Windows Settings-Internet Explorer Maintenance-Connection-Proxy Settings (checked boxes for “Enable proxy settingsâ€, “Use the same proxy server for all addresses†and “Do not use proxy server for local (intranet) addressesâ€; entered dummy “HTTP†(proxie99) and “Port†(1010) values)

User Configuration-Administrative Templates-Windows Components-Internet Explorer-Internet Control Panel-Disable the Connections page (set to “Enabledâ€)

These users also are set to use a “Mandatory user profile†so any changes that they make during a login session get reset back to the “official†profile the next time they log in.

The above settings do initially restrict Internet access and they cannot get to the “Connections†page to remove the dummy proxy settings but some users have found another way to change the settings. If they select the “Internet Connection Wizard†shortcut from the “Start Menu\Programs\Accessories\Communications†menu or execute “icwconn1.exe “ in the “"Program Files\Internet Explorer\Connection Wizard\" directory, the “Internet Connection Wizard†program will reset (remove) the dummy proxy settings and allow access to the Internet (using either Internet Explorer or Windows Explorer).

What is the recommended method to prevent selected users from accessing the Internet (but allowing local Intranet access)?

Thanks to anyone who can help me out.
 
J

Joe Wu [MSFT]

Hello,

Thank you for your post. It is my pleasure to work with again.

I would like to suggest that you configure the proxy server to restrict a
certain group of users from accessing the Internet. For example, if you are
using Microsoft ISA server as your proxy server, you can configure "Site
and Content Rule". Compared with configure the local web proxy settings,
this solution is more efficient and solid.

If you need more information on how to do so on the ISA server, you can
submit a new post in our ISA news group:

microsoft.public.isa

This newsgroup is primarily for issues involving ISA. The reason why we
recommend posting appropriately is you will get the most qualified pool of
respondents, and other partners who read the newsgroups regularly can
either share their knowledge or learn from your interaction with us. I
believe the problem can be resolved soon there.

Thank you for using our news groups and happy new year!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Thread-Topic: Restricting Internet Access for selected users
|thread-index: AcPP3Q7/QQiYIrUZRLSbExkEO8V2ew==
|X-Tomcat-NG: microsoft.public.win2000.general
|From: "=?Utf-8?B?QmFycnkgS29vcGVyc21pdGg=?="
<bkoopersmith@NO_SPAMaarcorp.com>
|Subject: Restricting Internet Access for selected users
|Date: Wed, 31 Dec 2003 12:31:24 -0800
|Lines: 16
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="Utf-8"
|Content-Transfer-Encoding: 8bit
|X-Newsreader: Microsoft CDO for Windows 2000
|Content-Class: urn:content-classes:message
|Importance: normal
|Priority: normal
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
|Newsgroups: microsoft.public.win2000.general
|NNTP-Posting-Host: tk2msftcmty1.phx.gbl 10.40.1.180
|Path: cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.general:106458
|X-Tomcat-NG: microsoft.public.win2000.general
|
|Restricting Internet Access for selected users

I want to prevent selected users from access the Internet (but allow local
Intranet access). All the computers are Windows 2000 and the users login to
a Windows 2000 server domain. I placed all the restricted user names in a
separate Organization Unit and configured these Group Policy settings:

User Configuration-Windows Settings-Internet Explorer
Maintenance-Connection-Proxy Settings (checked boxes for “Enable proxy
settingsâ€, “Use the same proxy server for all addresses†and “Do
not use proxy server for local (intranet) addressesâ€; entered dummy
“HTTP†(proxie99) and “Port†(1010) values)

User Configuration-Administrative Templates-Windows Components-Internet
Explorer-Internet Control Panel-Disable the Connections page (set to
“Enabledâ€)

These users also are set to use a “Mandatory user profile†so any
changes that they make during a login session get reset back to the
“official†profile the next time they log in.

The above settings do initially restrict Internet access and they cannot
get to the “Connections†page to remove the dummy proxy settings but
some users have found another way to change the settings. If they select
the “Internet Connection Wizard†shortcut from the “Start
Menu\Programs\Accessories\Communications†menu or execute “icwconn1.exe
“ in the “"Program Files\Internet Explorer\Connection Wizard\"
directory, the “Internet Connection Wizard†program will reset (remove)
the dummy proxy settings and allow access to the Internet (using either
Internet Explorer or Windows Explorer).

What is the recommended method to prevent selected users from accessing the
Internet (but allowing local Intranet access)?

Thanks to anyone who can help me out.

|
 
G

Guest

We do not use a proxy server on our network. What additional Active Directory Group Policy settings can I add to what I already indicated to prevent Internet access for selected users?
 
J

Joe Wu [MSFT]

Hello,

Thank you for your reply.

There is no such option in AD. Actually, even if there were such option,
the end user could easily bypass it by disjoin his computer from the domain
or build a stand-alone system as a dual-boot system.

Instead, we need to resolve this problem on the networking side. You can
set up a proxy server (for example, ISA) in your network and it should be
the most thorough and efficient solution.

http://www.microsoft.com/ISAServer/

Please let me know if you have more concerns.

Thanks!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Thread-Topic: Restricting Internet Access for selected users
|thread-index: AcPX5hKyUKIfr77RQBOVltIWKHa9xg==
|X-Tomcat-NG: microsoft.public.win2000.general
|From: "=?Utf-8?B?QmFycnkgS29vcGVyc21pdGg=?="
<bkoopersmith@NO_SPAMaarcorp.com>
|References: <[email protected]>
<[email protected]>
|Subject: RE: Restricting Internet Access for selected users
|Date: Sat, 10 Jan 2004 17:56:05 -0800
|Lines: 1
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="Utf-8"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|Content-Class: urn:content-classes:message
|Importance: normal
|Priority: normal
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
|Newsgroups: microsoft.public.win2000.general
|NNTP-Posting-Host: tk2msftcmty1.phx.gbl 10.40.1.180
|Path: cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.general:109317
|X-Tomcat-NG: microsoft.public.win2000.general
|
|We do not use a proxy server on our network. What additional Active
Directory Group Policy settings can I add to what I already indicated to
prevent Internet access for selected users?
|
 
G

Guest

I doubt that the users that we want to restrict would know how to disjoin a computer from the domain or build a stand-alone system as a dual-boot system. All these computers are highly visible in production shops and it would be noticed. If they did do that, the applications that they need to do their job would not be available to them plus it would be clear evidence that they have tampered with the computer configuration which they have been directed not to (and they would be subject to disciplinary measures or dismissal)

I would prefer not to setup a proxy server

I have already used AD to create a â€dummy†proxy setting and hidden the “Connections†screen to prevent them from undoing it. I believe it will be sufficient for my purposes if you could just address my original problem. Is there a way to prevent a user from changing the proxy settings? If not, is there a way to prevent the execution of "icwconn1.exe" (Internet Connection Wizard)? If not, then I will just include a command to delete this file in the login script for these users

Thanks again for your assistance
 
J

Joe Wu [MSFT]

Hello,

Thanks for your update.

I have performed some tests on my lab and I think that we cannot thoroughly
restrict the users from accessing the Internet on the AD side.

Methods I have tried:

1. Try the "Prohibit access to the Network Connection wizard" setting under
"User Configuration\Administrative Templates\Network\Network and Dial-up
Connections".

Comments:

If you enable this policy, the "Make New Connection" icon does not appear
in the Start Menu on in the Network and Dial-up Connections folder.
However, if the user is local admin, he is still able to run "icwconn1.exe".

2. Restrict permissions on the following registry Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]

Comments:

Users can run "icwconn1.exe", however, the predefined proxy settings (that
are saved in the above registry key) are preserved.

However, this is not a good solution too because:

- Administrator users can assign themselves with full-control permissions
on that registry key.
- It is difficult to adjust the registry permissions via GPOs or logon
scripts.

Therefore, if there is no proxy server in your network, we do not have a
solid solution to prevent an account with local administrator rights via
domain group policies. Personally, I think that you can try to temporarily
remove the "icwconn1.exe" file from the client systems. (However, please
note that the end user may copy this file from other systems.)

I hope the above information helps. Thanks and have a nice day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Thread-Topic: Restricting Internet Access for selected users
|thread-index: AcPZlFiy+HryI4M4TV2ws6EgT8cnsw==
|X-Tomcat-NG: microsoft.public.win2000.general
|From: "=?Utf-8?B?QmFycnkgS29vcGVyc21pdGg=?="
<bkoopersmith@NO_SPAMaarcorp.com>
|References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
|Subject: RE: Restricting Internet Access for selected users
|Date: Mon, 12 Jan 2004 21:16:06 -0800
|Lines: 8
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="Utf-8"
|Content-Transfer-Encoding: 8bit
|X-Newsreader: Microsoft CDO for Windows 2000
|Content-Class: urn:content-classes:message
|Importance: normal
|Priority: normal
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
|Newsgroups: microsoft.public.win2000.general
|NNTP-Posting-Host: tk2msftcmty1.phx.gbl 10.40.1.180
|Path: cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.general:109833
|X-Tomcat-NG: microsoft.public.win2000.general
|
|I doubt that the users that we want to restrict would know how to disjoin
a computer from the domain or build a stand-alone system as a dual-boot
system. All these computers are highly visible in production shops and it
would be noticed. If they did do that, the applications that they need to
do their job would not be available to them plus it would be clear evidence
that they have tampered with the computer configuration which they have
been directed not to (and they would be subject to disciplinary measures or
dismissal).

I would prefer not to setup a proxy server.

I have already used AD to create a â€dummy†proxy setting and hidden the
“Connections†screen to prevent them from undoing it. I believe it will
be sufficient for my purposes if you could just address my original
problem. Is there a way to prevent a user from changing the proxy settings?
If not, is there a way to prevent the execution of "icwconn1.exe" (Internet
Connection Wizard)? If not, then I will just include a command to delete
this file in the login script for these users.

Thanks again for your assistance.

|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top