Re: Help ! Need to disable network browsing on 2000 pro clients
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/08/04
- Next message: Mr_jones9999: "phantom NIC card blocking Internet access"
- Previous message: OmegaRed: "Adding a DC/GC on a different subnet"
- In reply to: Jay: "Help ! Need to disable network browsing on 2000 pro clients"
- Next in thread: Jay: "Re: Help ! Need to disable network browsing on 2000 pro clients"
- Reply: Jay: "Re: Help ! Need to disable network browsing on 2000 pro clients"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 08 Jun 2004 02:27:42 GMT
I suggest that you consider removing those computers from the domain and putting them
in a workgroup and either using ipsec filtering or personal firewalls allow them to
access only the internet and not any IP addresses on the lan.
If for some reason they must be in your domain, it can be difficult to prevent users
from browsing the network. You can use Group Policy/user configuration to hide
Network Places though that will not be 100 percent effective as there are many ways
to work around that such as using or creating shortcuts. Disabling netbios over
tcp/ip on those computers would also deter casual domain browsing. I would also use
Group Policy to disable the command prompt and registry editing, use computer cases
that lock access to the computer drives and interior access and disable USB ports in
cmos and password protect cmos settings, configure Group Policy so that users can not
modify IE settings, do not allow downloads in any of the IE Web Content Zones, make
sure that users/everyone have no more than read/list/execute permissions to the
drive/root folder, and modify the user account used for public access to have only
read/list/execute permissions to the desktop folder in the user profile if you are
not using the guest account that will not save changes to the profile [understanding
the risks of enabling the guest account]. If possible use XP Pro computers for public
access and use Software Restriction Policies to lock down users so they can run ONLY
what is authorized and not be able to install any software. Finally on W2K or XP pro
you can implement ipsec filtering policy on those computer to allow them access to
only the computers they need on the domain such as domain controllers to log on by
starting with a mirrored block all IP rule and then add a permit rule that contains
the allowed lan IP addresses in the filter and entries for internet access. The links
below may be helpful. --- Steve
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
http://www.securityfocus.com/infocus/1559
"Jay" <anonymous@discussions.microsoft.com> wrote in message
news:FAA9F901-9DB0-4103-AF25-26A9820C0939@microsoft.com...
> Hello ALL,
>
>
> We have a 2003 AD domain with windows 2000 pro clients. I would like to prevent
the clients from being able to browse the network and see the other computers as well
as prevent them from browsing the Directory and seeing the different OU's that are
setup. Is there a way of preventing a user from browsing for folders, computers,
drives, ect on the domain, and not prevent the PC from participating on the domain
normally ? I would like to accomplish this without having to setup a new domain just
for these pc's
>
> These PC's that I want to lock down are Public PC's that anyone off the street
can use to surf the net. So you can see why I'm so concerned about preventing them
from seeing the domain.
>
> Thank you so much !!!
- Next message: Mr_jones9999: "phantom NIC card blocking Internet access"
- Previous message: OmegaRed: "Adding a DC/GC on a different subnet"
- In reply to: Jay: "Help ! Need to disable network browsing on 2000 pro clients"
- Next in thread: Jay: "Re: Help ! Need to disable network browsing on 2000 pro clients"
- Reply: Jay: "Re: Help ! Need to disable network browsing on 2000 pro clients"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
