We need to block internet and still allow intranet access (web access). Any suggestion on how to configure GPO? <aside class="meta trailing-meta" style="font-size:11px;font-family:inherit;border-top-width:1px;border-top-style:dotted;border-top-color:#d5d5d5;color:#666666;padding:10px 0px;">

</aside>

Hi

 You should use a Firewall device or Proxy server to configure these settings.Also you check the Forefront Threat Management Gateway (TMG) specs;

https://technet.microsoft.com/en-us/library/ff355324.aspx?f=255&MSPPError=-2147217396

and if you have 2 DNS server,you configure one of these DNS run on local network and redirect user which could not Access the internet.

• Proposed as answer by Frank Shen5Microsoft contingent staff, Moderator 51 minutes ago

Hi,

>>We need to block internet and still allow intranet access (web access). Any suggestion on how to configure GPO?

As Burak suggested, we can try using perimeter devices like firewall or proxy server to do this. Group policy can't reliably help us achieve this function. Here, if we want to use group policy to do this, we can try to set up a fake proxy server for internet accessing and make local addresses bypassing the proxy server. However, this should only work for Internet Explorer.

To configure proxy settings for IE via group policy, we can use Group Policy Preferences Internet Settings extension to do this. Please note that the IE settings configured here can still be edited by standard domain users even after the group policy settings are applied.

Internet Settings Extension

https://technet.microsoft.com/en-us/library/cc754649.aspx

In addition, the following article focused on the similar question and can be referred to as reference.

I want to disable Internet access to user using GPO

https://social.technet.microsoft.com/Forums/windowsserver/en-US/455b4305-8783-46a1-87f6-bb219e765820/i-want-to-disable-internet-access-to-user-using-gpo?forum=winserverGP

Best regards,

Frank Shen