restricting select users from getting to web on XP Prof?

[Leythos]

I have a client running a workstation - XP Prof, that has 15 accounts on
the box, he wants to keep 8 (User Accounts) of them from accessing the
internet completely. The machine must still perform Windows Updates and
other AV updates, and still allow the other 7 (Administrator
Accounts) users to access the net and anything else. All users must be
able to access the shares on another computer.

Any idea how I can do this without any third party tools?

TIA.

 

[Carey Frisch [MVP]]

If you are using Windows XP Professional with SP2:

Go to Start > Run and type: GPEDIT.MSC , and hit enter.

A Group Policy Setting called "Restrict Internet Communication" will do just this.
It can be found in Administrative Templates | System | Internet Communication Management.

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.mspx

------------------------------------------------------------------------------

:

| I have a client running a workstation - XP Prof, that has 15 accounts on
| the box, he wants to keep 8 (User Accounts) of them from accessing the
| internet completely. The machine must still perform Windows Updates and
| other AV updates, and still allow the other 7 (Administrator
| Accounts) users to access the net and anything else. All users must be
| able to access the shares on another computer.
|
| Any idea how I can do this without any third party tools?
|
| TIA.
|
| --
| (e-mail address removed)
| remove 999 in order to email me

 

[JW]

call your client's ISP and ask them to change the login password. now
nobody but you will know the password to connect to your ISP. do not
give this password to anybody, except the client who needs to know.

of course, next time each user tries connecting to the ISP, it will fail
and ask for the password. be sure you or your client type it in
yourself, don't give the password to anybody else, and Do Not Check the
box labeled Save This Password For Everybody Who Uses This Computer.
only check the box labeled Save This Password For Me Only. what i don't
know is whether or not you have to delete and recreate the Network
Connection in Control Panel to make this work.

it might be tedious, but it definitely is not complicated, and you only
have to do it once for each user that needs internet access. let us
know if this works or not.

i have never tried this because i have never had this need/issue.
i also welcome anybody else to correct me or offer another solution.
i am assuming the XP Pro workstation accesses the internet directly, and
not through a proxy server.

 

[Leythos]

call your client's ISP and ask them to change the login password. now
nobody but you will know the password to connect to your ISP. do not
give this password to anybody, except the client who needs to know.

I guess I should have stated that the internet connection is provided over
the LAN - no logon to the ISP. I would have thought the part about other
network shares would have been enough to bring that to light.

[snip]

 

[Leythos]

If you are using Windows XP Professional with SP2:

Go to Start > Run and type: GPEDIT.MSC , and hit enter.

A Group Policy Setting called "Restrict Internet Communication" will do just this.
It can be found in Administrative Templates | System | Internet Communication Management.

Carey - can I do this on a per-user basis for the WXP/SP2 workgroup
machines? There is no domain.

When I look at it under "User Configuration" with the computer being in a
Workgroup, is that the currently logged on "User" or all users - as there
is also a "Computer Configuration"?

Thanks

 

[JW]

it is very possible to have an XP workstation that connects to the
internet directly, and is also connected to a LAN. it could even be a
LAN managed by an XP workstation that connects to the internet directly
(sharing the internet connection with the LAN). maybe there are more
than 2 possible configurations.

sorry. it was not clearly stated or implied.

call your client's ISP and ask them to change the login password. now
nobody but you will know the password to connect to your ISP. do not
give this password to anybody, except the client who needs to know.

I guess I should have stated that the internet connection is provided over
the LAN - no logon to the ISP. I would have thought the part about other
network shares would have been enough to bring that to light.

[snip]

 

[JW]

it is too much to retype, but i think pages 1074-1075 in the book
Windows XP Inside Out will help you. the section is named "Making
Different Settings for Different Users", and explains how to make local
GPO settings apply to one group, while Not applying to another.

 

[Leythos]

it is too much to retype, but i think pages 1074-1075 in the book
Windows XP Inside Out will help you. the section is named "Making
Different Settings for Different Users", and explains how to make local
GPO settings apply to one group, while Not applying to another.

I was not aware that I could create GPO's on a workgroup computer, I
thought it was a AD/DC method only?

 

[Malke]

I was not aware that I could create GPO's on a workgroup computer, I
thought it was a AD/DC method only?

Leythos, I'm not an AD guru by any means, but on an XP Pro workstation,
you should be able to make a new user group called "no access" or
whatever and just put those users who shouldn't access the Internet in
that group. You could then set the permissions/policies for that group
with the GPE.

Malke

 

[JW]

the pages i was referring to do not explain how to create multiple GPOs
on a workgroup computer. as i said, the pages only explain how to make
local GP settings apply to one group, while Not applying to another.

in the spirit of trying to help you out, if all else fails, you could
resort to simple NTFS permissions, and disallow or deny Execute
privileges to all the programs that access the internet (e.g. browsers,
mail clients, IM and file sharing programs, voice and video conferencing
programs, A/V streaming programs etc.)

p.s.
if you can set up multiple GPOs in an Active Directory / Server
configuration, and workstation users authenticate from the server, can
you Not put them into a new group, with policy rights / privileges
assigned to their GPO from the Server, as Malke mentioned ?

 

[Leythos]

Leythos, I'm not an AD guru by any means, but on an XP Pro workstation,
you should be able to make a new user group called "no access" or
whatever and just put those users who shouldn't access the Internet in
that group. You could then set the permissions/policies for that group
with the GPE.

I'll test it this weekend - thanks.

 

[Leythos]

if you can set up multiple GPOs in an Active Directory / Server
configuration, and workstation users authenticate from the server, can
you Not put them into a new group, with policy rights / privileges
assigned to their GPO from the Server, as Malke mentioned ?

There is no DC/AD, it's a workgroup of 5 XP Prof stations with duplicated
users/passwords on all of them.

 

[JW]

i see. then you could use either of the 2 suggestions i made earlier.
use NTFS permissions to disallow or deny Execute privileges on those
programs that use the internet, or refer to the pages i pointed to in
the book Windows XP Inside Out.

 

[Leythos]

i see. then you could use either of the 2 suggestions i made earlier.
use NTFS permissions to disallow or deny Execute privileges on those
programs that use the internet, or refer to the pages i pointed to in
the book Windows XP Inside Out.

The problem with permissions on apps is that there are many which allow
Internet access without using IE. I can access the web via FireFox, via
AOL, via other apps.

The ideal solution would be to disable DSN for each user while leaving DNS
in place for the others. Or to limit connections outside the local subnet.

 

[JW]

although it is tedious to set NTFS permissions for 5 workstations, it is
not really complicated, and you only have to do it once per PC.


p.s.
why did you say
"there are many which allow Internet access without using IE. I can
access the web via FireFox, via AOL, via other apps."

after i clearly stated
"all the programs that access the internet (e.g. browsers, mail clients,
IM and file sharing programs, voice and video conferencing programs, A/V
streaming programs etc.)"

 

[Leythos]

although it is tedious to set NTFS permissions for 5 workstations, it is
not really complicated, and you only have to do it once per PC.

I only have to set it for one Common user area computer, not all 5 - it
would be a mess for all five. The nice thing is that I'll create groups,
assign permissions based on groups, and then add/remove users from groups
in order to manage it - default being only allowing permission to one
non-default group (and system).

p.s.
why did you say
"there are many which allow Internet access without using IE. I can
access the web via FireFox, via AOL, via other apps."

after i clearly stated
"all the programs that access the internet (e.g. browsers, mail clients,
IM and file sharing programs, voice and video conferencing programs, A/V
streaming programs etc.)"

Because I worked from 7AM to 11PM yesterday, then from 7AM to 5PM today,
and feel slightly burned out and missed it.