Restricting Internet to users using group policies

P

poffle

Executive Member
Joined
Apr 21, 2007
Messages
5,462
Reaction score
272
Location
Singapore
Howzeet

I need to restrict x amount of people on the domain to only access 2 websites. I been googling and havnt found anything solid. I created an extra organizational unit, added a group policy and tried to configure IE under the administrative tools. I thought i was onto something but it never materialized :p
Unfortunatley this is the only way i will be "allowed" to do it and cant install any 3rd party apps.

Any help would be much appreciated.
Thanks!
 
was afraid you were going to say that :p hate ISA but tx ill have a look into it
 
Setup a squid proxy in a VM, and use GP to point certain users at it... (ISA might be easier, I've never used it though)
 
Using Microsoft's domain based shenanegans is completely moot when the user realises that they can just bypass the "login to the domain" screen, and create a non domain user and gain access to network resources that way.

Picture it ... a boardroom meeting, where the "guest" from another company can access more of the company resources than the CEO of this comapny.

ROFL!
 
they would only be able to gain access to the internet if they bypassed the proxy server, but then if you set up your routers correctly, you would reject all packets not from the proxy server destined for the internet.

Other resources will be controlled by Share and NTFS permissions. So the guest would be a guest if you want it so.

If the guest can gain access to network shares then you need to have a specialist come and see you company to secure it properly.
 
@DarrylH, yup. Correct.

You spend 2 months getting it all secure and then a patch comes out and suddenly only certain people cannot see the proxy server any more. Endless browsing through tons and tons of dribble and eventually you find out that failure to run the windows network configuration wizard correctly led to the problem, and that the patch enabled the windows firewall. After fixing the firewall problem, the computer refuses to connect to a network resource because it is already connected to that resource. You die a miserable death.

Then the worst thing imaginable happens .. WHAM .. domain controller and backup domain controller crash! They were both running on the same "safe" power supply, and that burst something and took out both the domain controllers. Entire company left unable to work. Frantic efforts to get another primary domain controller up and running are eventually successful from backups, but now the creation of the backup domain controller is failing because the restored domain controller already has an existing backup controller and wants you to bring it on-line so that you can remove it.

I have seen some Microsoft created situations in my life so far, and jumping on that ship without a real-life-size test environment, and the time to test it, is dangerous.
 
and then a shark jumps out of the water and eats your keyboard...WTF??? you can't cater for everything. Hence Disaster Recovery and BCP's.
 
lol. nice stories :D. ISA is frikin retarded (unless i am).. create a simple firewall policy.
Deny ALL outbound traffic from internal network to external.
Simple.
Created a security group, made myself a member. Put that group as the users of that firewall rule.
Doesnt work at all.
 
i know nothing about ISA and i got ISA working 100% plus upgraded it to ISA 2004.
got groups, internet times, denied websites, access controlled by AD.
 
Thats nice, thanks for sharing. So could you help me with my problem then?
 
ISA is pretty simple - but it costs.

Squid - free and still fairly easy to implement (if you know linux)

If you can't use any 3rd party apps (squid/isa) when your pretty much scewed. Can't be done.
 
It can be done. Create a GPO to lock down IE, so that users cannot change the "security settings" on IE. Then use the GPO to only allow access to sites listed as "Trusted", and add only those two sites that you want them to access. Since the user cant update the trusted sites, and they can only go to trusted sites, you would have met your objectives.

The problem with this approach of locking and controlling access from the desktop, is that you then have to lock down the machine further to prevent the users from installing another browser (such as chrome), that does not have the GPO set - as well as other lockdowns that may be necessary to prevent access; much better to use ISA and block access there, as it is almost impossible to bypass.
 
you could try this....(shout if i'm wrong here ppl)

disable the DNS/WINS settings on the PC's where you are using static IP and not DHCP.
set the two ip address in the local HOSTS file and point to the correct IP addresses.

That way, unless the user knows the DNS servers, or the IP address of the website he wants to go to, he will never resolve it from a DNS sever that does not exist. It will however resolve the ip's that are in the HOSTS file and the users will have access to those site.

That should work?!?
 
Thanks alot for all the replies, learnt alot more about AD and group policies :) I eventually said fsk it to that and tried ISA... did a little research and came right. It was partially a ID10T error on my part :o

Isa 0 - 1 poffle
 
We used ISA for 2years it's a good product, but Port Forwarding is a royal nightmare.

Using Kerio Firewall and really best package we implemented so far.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X