Re: Disable Web Access to Specific Workstations


I just wanted to clarify that Group Policy can only apply to users and
computers and not groups per se but again computer configuration settings
will not apply to users as it will apply to the computer and anyone that
logs onto that computer whether a domain user or local user. I have run into
many situation where admin have put groups into the scope of influence of a
GPO an wondered why the policy did not apply.

While SRP can stop a particular binary from running doing so for IE will not
necessarily prevent internet access particularly if user can use a different
web browser or access internet via another application not restricted. The
best way I have found using Group Policy is to create an ipsec policy that
is applied to computers that filters access via IP/ports/protocols inbound
and outbound.


"JCB" <JCB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
As per my earlier post, the Group containing the accounts (either computer
user) would be placed first in an OU; the desired GPO would be created and
linked to that OU - in essence GPOs are applied to Groups (all the time).
OUs can contain Compueters, Users, Groups, Shared Folders, Contacts,
Printers, or InetOrgPerson objects. Refer to MOAC. Just as it is
ill-advised to assign permissions to individual User or Computer accounts
(unless applying Deny permissions) one should not populate an OU with
individual leaf objects when a single container object (e.g., Group)
collectively will do. Besides the obvious administrative advantage to
applying Policy to a single container object instead of the individual
objects contained therein, application of Group Policy will be
long at startup and/or logon because the policy is being applied to that
more objects.

However, you are correct in that the GPO setting I mentioned will not meet
the need to restrict all I'net access. But the stated need is to prevent
certain employees from accesing the I'net, regardless of which workstation
they logon to, so the best approach is to lock down the specific Group of
user accounts, not the machines. Also as stated, the offending employees
have no need for web access, so a GPO software restriction policy such as
path or hash rule preventing iexplore.exe from running will accomplish
this...and the restriction is enforced at every logon.

"Steven L Umbach" wrote:

FYI the GP settings you mention will reduce functionality of Internet
Explorer but will not disable internet access. Also you can not apply
Policy settings to objects by placing them in a group and then placing
group within the scope of influence of the Group Policy [though groups
be used for filtering Group Policy] and Group Policy "computer"
configuration settings will not apply to users - only computers. Enabling
loopback processing of Group Policy [in an Active Directory domain] can
change the way Group Policy settings are applied where user settings are
based on computer and not user but that is not the norm. I agree that in
this situation modifying the default gateway or using filtering at the
gateway is the best way to implement the solution.


"JCB" <JCB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
You can create an Active Directory Organizational Unit and place all of
manufacturing MACHINES in that OU. Then under the Computer
Configuration/Administrative Templates/System/Internet Communications
deny access to the I'net. No one who logs into THOSE machines will

You could also restrict the USERS who are guilty by placing their
in a Group, then that group in an OU and applying the same restriction.
way, they can't wander to an office with an unlocked door on third
defeat the machine restriction...

"CarlosAntenna" wrote:

I have a network in a manufacturing facility. PCs in the office need
access, but in the manufacturing area I need to disable web access.
is little supervision on the night shift and they have been caught
instead of working. I need to allow access to the lan for their
applications and email. But I want to disable web access at the
level, so it is disabled no matter who logs in. How can this be done?
registry hack? A policy? PCs are mostly XP pro with a few Win2K.