Re: Deny from internet access

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/11/05 

Date: Tue, 11 Jan 2005 11:42:20 -0600

If you mean all any access to the internet there are a couple of ways. As
long as they are not local administrators or in the network configuration
operators group on XP computers you can set a bogus default gateway for
their computer. Note that depending on your network physical security it may
not be all that hard to for a user to crack a local administrator account
and change that.

You could create an ipsec filtering policy for an OU/GPO and configure the
ipsec policy to block all IP traffic with one rule and then create a rule
that will permit all traffic for the local subnet. The link below explains
more on how to do such. Note that again a user with local admin credentials
could remove the computer from the domain to bypass domain ipsec policy and
be default that user could rejoin the computer to the domain up to ten times
unless you remove authenticated users from the add workstations to the
domain user right in Domain Controller Security Policy.

http://www.securityfocus.com/infocus/1559

ISA server can also prevent users from accessing the internet by requiring
user authentication and rules to block access. That will only work well if
the firewall client is used.ISA server will act as the proxy server and
firewall for the network being the default gateway to the internet.

Otherwise configure your firewall to block outbound access to a computer's
IP address. For that to work well the computers would need to have static IP
addresses or be within a range of IP addresses assigned by a DHCP scope.
Again a local administrator can modify a computers IP address.

To help prevent a user from becoming a local administrator be sure that your
computers are configured to boot only from the system hard drive which can
be configured in cmos and cmos settings can be password protected though
even that is not 100 percent reliable but well worth doing. Computer cases
would also need to be locked so that a user can not reset cmos by changing a
jumper inside the computer. --- Steve

"Emyeu" <cmchong20@yahoo.com> wrote in message
news:ekGFq289EHA.1260@TK2MSFTNGP12.phx.gbl...
> anyways to apply group policy to specifc workstations to deny internet
> access permanently?
>

Relevant Pages

  • Re: Local Administrator
    ... > malware like a worm that wants to spread via your network. ... > becomes infected while the logged on user is a local administrator then ... > to use the internet will greatly reduce that risk. ... >> Right now I'm using Group Policy to lockdown the PC so that the only ...
    (microsoft.public.win2000.security)
  • Upgrading Win2000 Pro SP4 to WinXP Pro
    ... I am logged into the computer as the local administrator and I can get the Internet on the computer. ... It is pulling the correct IP address, DNS and WINS from the DHCP. ... Thanks, Richard ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Local Policy does not permit to Logon Interactively
    ... we had the same problem while migrating that weekend. ... Log on as local administrator on the pc of the user and put the ... Greets ... I have seen on the Internet that some suggest to update on the ...
    (microsoft.public.windows.terminal_services)
  • Re: Remote users unable to connect to internet outside of network
    ... When users leave the network and try and connect to the ... internet from home or hotel room they are unable to connect to the ... Addresses of your DCs you must disable the policy on your mobile ... Keep a back up of your OE settings and folders ...
    (microsoft.public.windows.server.dns)
  • Re: How to prevent a terminal user from running applications
    ... TS Internet users as above with internet explorer ... Right click your domain and select tab group policy. ... with a user account in the TS user group to view your settings. ... No "Computers Near Me" in My Network Places - Enabled ...
    (microsoft.public.backoffice.smallbiz2000)