What are options that can be done to prevent an authorized user on the network from using Internet Sharing on their laptop to wireless share our network to unauthorized people or devices?

We have a guest wireless network that gives Internet access via a preshared key and an "internal" wireless network where that uses domain credentials to connect.

We could enable a group policy to prevent our domain users from enabling Internet Connection Sharing, but that would do nothing to prevent non-domain computers of authorized business partners and contractors that are permitted to use the internal network as well as any rogue personal devices people may connect.

What about getting the internal wireless and having everyone use the external Internet wireless and require VPN to access the internal network? (One concern with this is that sometimes people need to access both our internal network and another remote site at the same time and if they are connected to our VPN, a other VPN connection would not work at the same time. )

Also, can a VPN connection to the internal network be shared via ICS?

Other solutions?

Hi,

It's hard to restrict a person who has the permission to connect the internal network to share his/her connection.

From my point of view, we can create a VLAN for the guests. Anyone in this VLAN can only access the internet.

>>Also, can a VPN connection to the internal network be shared via ICS?

Yes. Here is the screenshot of my lab:

Best Regards.

It doesn't seem like a VLAN on guest network accomplishes anything regarding blocking sharing of internal network.

The authorized internal wireless users have to access the Internal network one way or another.  2. options.

1.  Separate guest and internal network on separate VLANs.  The user connects to internal network and shares that connection.

2.  Guest-only network, plus VPN to connect to internal network.  User connects to guest network, them VPNs to internal network, then shares their connection to the internal network.

Are there solutions to prevent this?