# Restrict internet access using group policy



## ScouserTommy

G'day all.

I'm trying to restrict internet access using group policy in Small Business Server 2003. I've created a GPO called NoIe and put a proxy server of 127.0.0.1 blocking port 80 but it still allows access to IE. I've removed 'Authenicated Users' from the list and put in the user account that needs to be restricted. There will be some websites that are exceptions which I can put in but I can't get this part of it working. I've googled til I'm blue in the face and just can't seem to get this working. Any ideas?

Ed


----------



## Patrickv

Well, Their is one simple idea is disconnect your internet router. But wat are you trying to do stop people access Internet Explore or the internet. i might add that a proxy is the right way 2 go. I would recommend that you use squid as your proxy, you just have to read some information about configuration setups. I have not managed to get it working on windows that of a bit of a problem. I know it can be done and i have seen it be done just that you might not have configured correctly. Good luck


----------



## ScouserTommy

I can't disconnect the router as there are a number of users who require internet access. There are a small number of users who only require access to one website for business purposes. This is why I want to restrict their net access to one website using a fake proxy server which from what I can gather is the best way to do this. Whatever way I have the GPO setup and linked to the user account is not working. Ideally they would be blocked from all internet access but if it's just IE it would not be such a big issue because they wouldn't be able to install a different browser anyway without admin access. Can anyone explain to me the steps required to do this?


----------



## ScouserTommy

Can anyone help me with this? I have created the OU and put the NoIe (No Internet Explorer) object into it. I've gone into User configuration>Windows Settings>Internet Explorer Maintenance>Connection and adjusted the proxy settings to a fake proxy (127.0.0.1) blocking port 80. I've removed Authenticated Users and added the user (Reception) I want to restrict from the internet. I will need to allow a few sites which I will do through the exceptions when this is properly working.

Is there something I'm doing wrong here? The policy is enabled and linked but the user still has access. Are there permissions being inherited from elsewhere that I need to be aware of? If anyone can shed light on this I would be extremely grateful.


----------



## Guldan

How many users? There is probably a better way but maybe delete the gateways from the users machines who don't need access.. or maybe utilize the hosts file on their computers.. just some quick thoughts


----------



## ScouserTommy

This will affect 4 users initially but there will be more in the coming months. I need them to have access to a small number of websites so these options wouldn't work for me. This has to be achievable through group policy. I just need to know what part I'm doing wrong. Help.


----------



## AQ78

How about trying another method such as ahash rule for these people to kill IE all together?

http://www.techieshelp.com/Kbs/KB000019.html


----------



## argentolee

AQ78 said:


> How about trying another method such as ahash rule for these people to kill IE all together?
> 
> http://www.techieshelp.com/Kbs/KB000019.html


This way is good until they update to a newer IE version, which will have a different hash.
We used to block users from accessing the internet by setting false proxy and lock the regedit and IE proxy setting page from users.



Code:


Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="127.0.0.1"
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"Connwiz Admin Lock"=dword:00000001
"Connection Settings"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001

However, users can always download softwares from Portableapps and run them from their USB sticks.
Client side is not really the best solution, a proxy server is the recommended way.


----------



## ScouserTommy

I'm not too worried about USB sticks with PortableApps as the users are not that tech-savvy. I just want to be able to deter them enough to put them off. How much effort is involved in setting up a proxy server?

Is it not sufficient for me to set up a fake proxy and add in some exceptions for 1 or 2 websites? This is what I have tried to do but my configuration is obviously wrong. Ideally this is the way I'd like to do it but any other suggestions for implementing this would be well received.


----------



## argentolee

ScouserTommy said:


> I'm not too worried about USB sticks with PortableApps as the users are not that tech-savvy. I just want to be able to deter them enough to put them off. How much effort is involved in setting up a proxy server?
> 
> Is it not sufficient for me to set up a fake proxy and add in some exceptions for 1 or 2 websites? This is what I have tried to do but my configuration is obviously wrong. Ideally this is the way I'd like to do it but any other suggestions for implementing this would be well received.


Sorry to tell you that I do not have much experience on setting up a proxy server. I once setup a proxy with FreeBSD and Squid in around 4 hours following the manual long time ago. I was able to make it request for a password for Internet access, however, optimization takes a lot longer than I expected.

Maybe you could try pfSense:
http://www.pfsense.org/

Check out the features, its based on PF of BSD. You can filter out by source IP and destination domain (what it actually does is resolve the domain dynamically from your DNS, therefore it might not always work when one domain has many IP). Hope it can fulfill all your needs.

Depending on your traffic , number of users and features you use, you might need a decent computer for it. Yet, it won't hurt giving it a try on virtual machine.


----------

