Stopping Clients from Accessing Internet

G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Hi,

We've got some clients on our 2003 network that we'd like to keep from
accessing the Internet. We've used our ISA server (Access Policy -- Site
and Content Rules) to stop them from browsing via IE. I thought this would
stop them period, but they can still browse via Windows Explorer!

Is there a policy that will stop the Internet functionality of Windows
Explorer? Or is there some other way? I've thought of putting them on
NetBui protocol instead of IP (they need networked printing), but I'm not
sure if NetBui is still available on Server 2003.

Thanks for any help,

Sincerely,
Kyle
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

If it's a small number of machines, why not just take away the default
gateway?

"Kyle Stedman" <kyle_st@yahoo.com> wrote in message
news:Xns96A2A0FCD33DFeester@69.28.186.158...
> Hi,
>
> We've got some clients on our 2003 network that we'd like to keep from
> accessing the Internet. We've used our ISA server (Access Policy -- Site
> and Content Rules) to stop them from browsing via IE. I thought this would
> stop them period, but they can still browse via Windows Explorer!
>
> Is there a policy that will stop the Internet functionality of Windows
> Explorer? Or is there some other way? I've thought of putting them on
> NetBui protocol instead of IP (they need networked printing), but I'm not
> sure if NetBui is still available on Server 2003.
>
> Thanks for any help,
>
> Sincerely,
> Kyle
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

In a WAN environment, there may be resources that require the gateway.
Also, other than machine specific DHCP reservations, is there a way to
remove the gateway on a per-user basis?

The idea is intriguing.

What I have been doing is using a login script to set the proxy server
address to 127.0.0.1 and enabling the proxy. I also specify a list of
domains that all users can get to using the proxyoverride setting, and
further specify that the proxy server is bypassed for local addresses.

I then use gpo to disable the connections tab in IE.

Not QUITE perfect, as users could conceivable edit the registry to turn
the connections back on or to disable the proxy server setting.

I'm testing to see if their are functional consequences to disabling
access to registry modication tools using gpo.

--Vorpal
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Hi,

Your ISA server should block everything if you have enabled authentication.
I have ISA and have never had a problem. In my rules for "Internet" I just
"Allow" everyone "except" the users that I don't want accessing and voila. I
am using ISA 2004 though so it may be different.

Have you installed the ISA client on the workstations? Mine works for
Mozilla and even FTP so it should work for Windows. Also, disable access to
Iexplorer.exe on the workstation using Permissions. That will do it for sure.
Just leave the Administrator and System as full control and remove "Users"
and all other accounts. Windows Explorer just opens up IE when an IP is put
in. You could also disable the Address Bar in Windows Explorer.

Cheers,

Lara

"Kyle Stedman" wrote:

> Hi,
>
> We've got some clients on our 2003 network that we'd like to keep from
> accessing the Internet. We've used our ISA server (Access Policy -- Site
> and Content Rules) to stop them from browsing via IE. I thought this would
> stop them period, but they can still browse via Windows Explorer!
>
> Is there a policy that will stop the Internet functionality of Windows
> Explorer? Or is there some other way? I've thought of putting them on
> NetBui protocol instead of IP (they need networked printing), but I'm not
> sure if NetBui is still available on Server 2003.
>
> Thanks for any help,
>
> Sincerely,
> Kyle
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Great, it is a small number of machines. You mean the default gateway on
their local "Network Connection" settings?

Thanks,
Kyle

"Ken B" <none@microsoft.com> wrote in
news:OfVTqyplFHA.3960@TK2MSFTNGP12.phx.gbl:

> If it's a small number of machines, why not just take away the default
> gateway?
>
> "Kyle Stedman" <kyle_st@yahoo.com> wrote in message
> news:Xns96A2A0FCD33DFeester@69.28.186.158...
>> Hi,
>>
>> We've got some clients on our 2003 network that we'd like to keep
>> from accessing the Internet. We've used our ISA server (Access Policy
>> -- Site and Content Rules) to stop them from browsing via IE. I
>> thought this would stop them period, but they can still browse via
>> Windows Explorer!
>>
>> Is there a policy that will stop the Internet functionality of
>> Windows Explorer? Or is there some other way? I've thought of putting
>> them on NetBui protocol instead of IP (they need networked printing),
>> but I'm not sure if NetBui is still available on Server 2003.
>>
>> Thanks for any help,
>>
>> Sincerely,
>> Kyle
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Hi Lara,

Yes, we've only got one rule which applies to all Users (allow all:
domain\domain users

Can I just another rule to the one above that excludes certain users? Or
would I have to make the rule above more granular first?

Thanks for your help,

Kyle

"=?Utf-8?B?bGZvcmJlcw==?=" <lforbes@discussions.microsoft.com> wrote in
news:E28CC872-EA7D-4267-8950-75608FE8E5C3@microsoft.com:

> Hi,
>
> Your ISA server should block everything if you have enabled
> authentication. I have ISA and have never had a problem. In my rules
> for "Internet" I just "Allow" everyone "except" the users that I don't
> want accessing and voila. I am using ISA 2004 though so it may be
> different.
>
> Have you installed the ISA client on the workstations? Mine works for
> Mozilla and even FTP so it should work for Windows. Also, disable
> access to Iexplorer.exe on the workstation using Permissions. That
> will do it for sure. Just leave the Administrator and System as full
> control and remove "Users" and all other accounts. Windows Explorer
> just opens up IE when an IP is put in. You could also disable the
> Address Bar in Windows Explorer.
>
> Cheers,
>
> Lara
>
> "Kyle Stedman" wrote:
>
>> Hi,
>>
>> We've got some clients on our 2003 network that we'd like to keep
>> from accessing the Internet. We've used our ISA server (Access Policy
>> -- Site and Content Rules) to stop them from browsing via IE. I
>> thought this would stop them period, but they can still browse via
>> Windows Explorer!
>>
>> Is there a policy that will stop the Internet functionality of
>> Windows Explorer? Or is there some other way? I've thought of putting
>> them on NetBui protocol instead of IP (they need networked printing),
>> but I'm not sure if NetBui is still available on Server 2003.
>>
>> Thanks for any help,
>>
>> Sincerely,
>> Kyle
>>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Hi,

Yes Kyle you can add another rule above that excludes and it will take
precedence without any modification. However on ISA 2004 you actually have a
"exlusions" box below the "allow" box in the standard rule where you can
enter Users. That is where I usually just add the names of the users that are
excluded from the rule (allow internet).

My users roam so I have to do it via ISA. However, if the computers are the
same all the time, removing the users and everyone permissions from reading
iexplore.exe on the local machine works even better.

Cheers,

Lara

"Kyle Stedman" wrote:

> Hi Lara,
>
> Yes, we've only got one rule which applies to all Users (allow all:
> domain\domain users
>
> Can I just another rule to the one above that excludes certain users? Or
> would I have to make the rule above more granular first?
>
> Thanks for your help,
>
> Kyle
>
> "=?Utf-8?B?bGZvcmJlcw==?=" <lforbes@discussions.microsoft.com> wrote in
> news:E28CC872-EA7D-4267-8950-75608FE8E5C3@microsoft.com:
>
> > Hi,
> >
> > Your ISA server should block everything if you have enabled
> > authentication. I have ISA and have never had a problem. In my rules
> > for "Internet" I just "Allow" everyone "except" the users that I don't
> > want accessing and voila. I am using ISA 2004 though so it may be
> > different.
> >
> > Have you installed the ISA client on the workstations? Mine works for
> > Mozilla and even FTP so it should work for Windows. Also, disable
> > access to Iexplorer.exe on the workstation using Permissions. That
> > will do it for sure. Just leave the Administrator and System as full
> > control and remove "Users" and all other accounts. Windows Explorer
> > just opens up IE when an IP is put in. You could also disable the
> > Address Bar in Windows Explorer.
> >
> > Cheers,
> >
> > Lara
> >
> > "Kyle Stedman" wrote:
> >
> >> Hi,
> >>
> >> We've got some clients on our 2003 network that we'd like to keep
> >> from accessing the Internet. We've used our ISA server (Access Policy
> >> -- Site and Content Rules) to stop them from browsing via IE. I
> >> thought this would stop them period, but they can still browse via
> >> Windows Explorer!
> >>
> >> Is there a policy that will stop the Internet functionality of
> >> Windows Explorer? Or is there some other way? I've thought of putting
> >> them on NetBui protocol instead of IP (they need networked printing),
> >> but I'm not sure if NetBui is still available on Server 2003.
> >>
> >> Thanks for any help,
> >>
> >> Sincerely,
> >> Kyle
> >>
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Thanks Lara!

Kyle

"=?Utf-8?B?bGZvcmJlcw==?=" <lforbes@discussions.microsoft.com> wrote in

news:42926912-9FDA-4DD5-BDA1-4A06EB148D86@microsoft.com:

> Hi,
>
> Yes Kyle you can add another rule above that excludes and it will take
> precedence without any modification. However on ISA 2004 you actually
> have a "exlusions" box below the "allow" box in the standard rule
> where you can enter Users. That is where I usually just add the names
> of the users that are excluded from the rule (allow internet).
>
> My users roam so I have to do it via ISA. However, if the computers
> are the same all the time, removing the users and everyone permissions
> from reading iexplore.exe on the local machine works even better.
>
> Cheers,
>
> Lara
>
> "Kyle Stedman" wrote:
>
>> Hi Lara,
>>
>> Yes, we've only got one rule which applies to all Users (allow all:
>> domain\domain users
>>
>> Can I just another rule to the one above that excludes certain users?
>> Or would I have to make the rule above more granular first?
>>
>> Thanks for your help,
>>
>> Kyle
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Glad to help. Hope you find a solution that works.

Cheers,

Lara

"Kyle Stedman" wrote:

> Thanks Lara!
>
> Kyle
>
> "=?Utf-8?B?bGZvcmJlcw==?=" <lforbes@discussions.microsoft.com> wrote in
>
> news:42926912-9FDA-4DD5-BDA1-4A06EB148D86@microsoft.com:
>
> > Hi,
> >
> > Yes Kyle you can add another rule above that excludes and it will take
> > precedence without any modification. However on ISA 2004 you actually
> > have a "exlusions" box below the "allow" box in the standard rule
> > where you can enter Users. That is where I usually just add the names
> > of the users that are excluded from the rule (allow internet).
> >
> > My users roam so I have to do it via ISA. However, if the computers
> > are the same all the time, removing the users and everyone permissions
> > from reading iexplore.exe on the local machine works even better.
> >
> > Cheers,
> >
> > Lara
> >
> > "Kyle Stedman" wrote:
> >
> >> Hi Lara,
> >>
> >> Yes, we've only got one rule which applies to all Users (allow all:
> >> domain\domain users
> >>
> >> Can I just another rule to the one above that excludes certain users?
> >> Or would I have to make the rule above more granular first?
> >>
> >> Thanks for your help,
> >>
> >> Kyle
>
>