![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Most effective way to give a limited access user no internet access? (XP SP2)
- Thread starter RandysWay
- Start date
For one, create a user account that does not have administrator rights. That "should" keep them from installing new software. You'll have to test this. If you're running NTFS, you could lock down the Program Files folder by adjusting the security settings for it and all child folders to read only for the unpriveleged user.
One way I've disabled use of Internet Explorer, is to set the Proxy setting to 127.0.0.1. Since the system is not running a proxy, IE will then always fail to reach the internet.
To prevent anyone from changing the proxy settings, run gpedit.msc, select User Configuration, Administrative Templates, Internet Explorer, and see "Disable changing connection settings" and "Disable changing proxy settings"
You could also go into "Computer Configuration", Administrative Templates, Internet Explorer, Internet Control Panel, and select the "Disable the Connections Page".
There are other ways. Do you have a router/firewall between your network and the Internet? Do you have a spare box you can set up as a proxy server? Install a proxy server, such as Squid on a spare box running 24/7. Configure it to require user login to the proxy, and configure per-user access restrictions. Then configure the router/firewall to only allow outgoing traffic via the proxy server. This will force your "limited access user" to go through the proxy to reach the internet, and you can finely control who has what access.
One way I've disabled use of Internet Explorer, is to set the Proxy setting to 127.0.0.1. Since the system is not running a proxy, IE will then always fail to reach the internet.
To prevent anyone from changing the proxy settings, run gpedit.msc, select User Configuration, Administrative Templates, Internet Explorer, and see "Disable changing connection settings" and "Disable changing proxy settings"
You could also go into "Computer Configuration", Administrative Templates, Internet Explorer, Internet Control Panel, and select the "Disable the Connections Page".
There are other ways. Do you have a router/firewall between your network and the Internet? Do you have a spare box you can set up as a proxy server? Install a proxy server, such as Squid on a spare box running 24/7. Configure it to require user login to the proxy, and configure per-user access restrictions. Then configure the router/firewall to only allow outgoing traffic via the proxy server. This will force your "limited access user" to go through the proxy to reach the internet, and you can finely control who has what access.
Thanks for your reply!
This is for a customers PC, so setting up a dedicated proxy server wouldnt be an option. Proxy setting on IE sounds perfect; however any other programs could still be able to access the internet. Just a minute ago I had an idea; as I don't have their PC here to test it, and I don't want to setup an additional account on my home box, could I simply goto Network Connections, LAN > TCP/IP, and switch it from "Obtain IP Address/DNS Server Automatically" to my own, 'non-existant' settings? Would XP inevitably "fix" or "repair" the settings overtime?
Thanks again.
This is for a customers PC, so setting up a dedicated proxy server wouldnt be an option. Proxy setting on IE sounds perfect; however any other programs could still be able to access the internet. Just a minute ago I had an idea; as I don't have their PC here to test it, and I don't want to setup an additional account on my home box, could I simply goto Network Connections, LAN > TCP/IP, and switch it from "Obtain IP Address/DNS Server Automatically" to my own, 'non-existant' settings? Would XP inevitably "fix" or "repair" the settings overtime?
Thanks again.
Modifying the hosts file would be a pain.
What happens if someone adds a network printer, or another server and this guy wants to access it? Someone will be forced to update his /etc/hosts file..
Besides, I don't think you can do that. Are you going to map every possible hostname on the internet to 127.0.0.1?
I've looked at my XP64 Windows firewall settings, and I don't see a "Default deny" policy available for outgoing traffic. It's all for controlling inbound traffic. Maybe 32-bit XP SP2 is different. I'll have to look when I get home.
What happens if someone adds a network printer, or another server and this guy wants to access it? Someone will be forced to update his /etc/hosts file..
Besides, I don't think you can do that. Are you going to map every possible hostname on the internet to 127.0.0.1?
I've looked at my XP64 Windows firewall settings, and I don't see a "Default deny" policy available for outgoing traffic. It's all for controlling inbound traffic. Maybe 32-bit XP SP2 is different. I'll have to look when I get home.