In a WS2003 domain, I want to limit specific domain users to local access only (no internet, regardless of browser). Restated, I do not want certain users to have internet access. I am looking for an easy way to do this. Is it possible to push IP settings with no default gateway, per selected user? If so, how? Or, better to run a logon script (per selected user) and delete the route? Or, some other solution? Doc

Is it possible to push IP settings with no default gateway, per selected user? If so, how? 1)Deploy the dhcp service on the server and let your clients obtain ip address from the DHCP server and make it sure that you dont mention the Default Gateway in the dhcp scope. 2) Configure network connection restrictions with Group Policy This way user will be restricted to do the changes in the Local Area Connection. http://technet.microsoft.com/en-us/library/cc732613(WS.10).aspx 3) The users which you want to have the default gateway will have a default group policy in which they will have no restriction. OR If your router or adsl modem supports the MAC filtering then you can easily do this by binding the machiness mac address and redirecting it to the local host this way when ever the user sitting on the computer wants to browse some thing it will be redirected to 127.0.0.1http://www.virmansec.com/blogs/skhairuddin

If the users that you wish to block are the only users of a given computer, and you are using a DHCP server that allows customizations such as a Windows DHCP server, rather than a basic router, you can create a DHCP reservations in the DHCP management console. For each user you can choose to create a new reservation under the scope configuration, based on their MAC address. You assign an IP and save. Then right click on the reservation and choose configure options and under option #003 Router (the default gateway) enter a non-existent address. The user will not get internet access. This is not terribly difficult for a user to get around if they are an administrator of their computer by manually changing the gateway, so you may want to restrict their ability to do so using Group Policy as Syed mentioned.Rob Williams

Rob, thanks for the info. The users are not the only user of a given computer. Several of the computers are for transient users, with domain accounts, and onsite periodically. The goal is to limit them to local use only, with no internet use. I am leaning toward a logon script that deletes the route (gateway). Or, a cleaner, better way to do this per user. Other users of any and all PCs in the domain would still have full access. Doc

Applying per user, as opposed to per computer is more difficult. You can use a logon script as per the following example: netsh interface ip set address name = "Local Area Connection" gateway = 10.0.0.254 gwmetric = 1 However the user must be a local administrator to be able to have it run during their logon.Rob Williams

The transient users are not local admins. I have not yet tried, but would "route delete 0.0.0.0" work in a logon script for a non-admin? Doc

I am afraid route delete also requires admin privileges. In thinking perhaps a better alternative would be to use Group Policy. You could place all users you wish to deny access within one or more OU's and link a new policy. Within the policy create a non-existent proxy server. This would deny Internet access as well as block them from making any changes even as a local admin, which you say they are not. The policy is located: User configuration | Policies | Windows Settings | Internet Explorer Maintenance | Connection | 'properties' - Proxy settings | 'add a non existent LAN IP' You probably want to make sure the "do not use proxy server for local intranet addresses" is checked as well.Rob Williams

Yes, I discovered "route" also requires admin. And, yes, it looks like I will need to be a bit more creative and use GP to do this. Sure would be a nice attribute to add in a user's profile, eh? Just a simple check box would be very nice: [x] Allow Internet Access . Ok, back to reality. If anyone has any other ideas/thoughts (on this issue), please post them. And, Rob, thanks for you help. Doc Computers verified since 1972

If we looked at all the "nice clickable options" we all want the profile would be 100 pages long :-) That is why group policy was invented. An easy way to apply common options to multiple users and/or computers. It is actually very easy and fast to use once you become familiar with it. Let us know if you need a hand.Rob Williams

Hi, You can create an Approved Site list (Invalid website) using Group Policy, that is to say, there is no any websites could be viewed by a specific user, only if the user types a correct password for content advisor. How to use Group Policy to Allow or Block URL’s http://www.grouppolicy.biz/2010/07/how-to-use-group-policy-to-allow-or-block-urls/ BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

The accepted solutions here, whilst better than nothing, will only work with Internet Explorer, and Dr. Stangelove specifed 'regardless of browser'. I would suggest that to do this properly you would either need to: 1. Configure a RADIUS server on your server, and configure your firewall (if indeed you have one) to check that each user's internet request is authorised. The article below (which relates to Cisco) gives you the general idea:- http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00800942fd.shtml 2. Alternatively this would previously have been a job for ISA server. I think that I am right in thinking that this has now been replaced with Forefront Security. Regards Alan Moseley

Alan only one suggestion is Internet Explorer specific, the others are related to internet access and routing.Rob Williams

I'm sorry Rob, I didn't make myself very clear. The two answers which have been accepted as correct are both Internet Explorer specific. If for example you also wanted to prevent users collecting their personal email via pop then they would be of no use. The routing answer would indeed work if the user had sufficient priviliges but the user (if so minded) could circumvent it. Sorry for the misunderstanding. Alan

The use of a non-existent proxy server should be browser independent should it not?Rob Williams

I am afraid not sir. It is administered, as you have correctly identified, in "User configuration | Policies | Windows Settings | Internet Explorer Maintenance | Connection | 'properties' - Proxy settings". I believe that this only applies to Internet Explorer, and in any case would not apply to, for example, POP3. Out of interest, when checking the above setting, I noticed in group policy a setting entitled 'Resrtrict Internet Communication' under User Config, Admin Templates, System, Internet Communication. I got quite excited about this. However, unless anyone can tell me otherwise, I think it only applies to certain features (like ordering photo prints) contained within Windows. What a shame. Alan Moseley

I am sorry but I disagree there. The group policy is with IE, you can make the change within IE, or you can make the change under control panel Internet Options, but all are a connection configuration. It redirects any port 80 connection to the proxy server and if non existent, there is no connection. The advanced settings will allow setting up a proxy for other ports as well. To be sure I just tested with Firefox, and it too was blocked. Best to make th change though within group policy so that an end user cannot reconfigure.Rob Williams

Hmmm, I'm not entirely convinced. I really don't think that changing the group policy proxy setting affects all browsers. You are of course correct in suggesting that if you could change the proxy setting to an non-existent address then this would prevent web browsing though. You have made me think a little deeper about this though. Do you think that configuring a firewall policy (in Computer Configuration - Administrative Templates - Network - Network Connections - Windows Firewall - Domain Profile - Define Port Exceptions) the which blocks port 80 (such as 80:TCP:0.0.0.0/32:disabled:Web Access) and then using a security group to filter it to your chosen users would work? I don't know if a computer configuration can be limited to users though if I am honest. I might have a play with this today to see if I can get it to work. Alan

Scratch that last thought, the windows firewall of course will only block incoming connections, not outgoing, and I am not sure that one can filter a computer policy by user group membership.

i also am attempting this as one of our students have had his internet revoked, but now they need him to be able to do his school work so we need to find a way to let him log into the machine but not be able to browse the internet. Setting up the proxy setting does block IE from working, but it doesn't block Firefox or other browsers as that's just restricted to the IE settings and the student can change the firefox browser setting. Any other suggestions?

Have you tried Firefox? I did and it completely blocked it. The setting is part of the Internet configuration, like the old wizard that Windows 98 made you run before you could connect to the Internet.Rob Williams