Preventing access to the internet for a single user

banGerprawN

[H]ard|Gawd
Joined
Apr 15, 2005
Messages
1,113
I have a stand-alone PC running XP Pro at a separate location that uses an always-on DSL connection. This PC is used by a member of my company that needs access to the Internet, but at the same time is also used by other people (not company employees) that need to have their internet access restricted. These other people have separate user accounts to the company employee.
What I need to be able to do is prevent all access to Internet resources from this PC, but only for specific user accounts. Obviously, it's possible to create an IP Security Policy that blocks all incoming/outgoing traffic, and that works marvellously well, except I'm not sure how to apply it only to certain users or groups.
Editing IE proxy information for each user to point to a non-existent proxy, and then editing their security rights so they cannot change proxy settings is not an option, because I need to stop other programs (not just IE) from accessing the Internet.
Is this possible without using a server/domain?
 
I thought I did something like this once with certain hardware profiles being allowed for certain users and whatnot...id google that if i were you.
 
Kaos said:
I thought I did something like this once with certain hardware profiles being allowed for certain users and whatnot...id google that if i were you.
That's an idea. I'll check it out.
 
Is this a poweruser we're talking about here? or just someone that knows just enough to open the "Big Blue E" If it's the later, then you can probable just reset permissions on the executable for IE to deny that user.
 
Nate7311 said:
Is this a poweruser we're talking about here? or just someone that knows just enough to open the "Big Blue E" If it's the later, then you can probable just reset permissions on the executable for IE to deny that user.
Nah, there's a few on there that are powerusers. I'm mainly trying to prevent access to p2p/filesharing programs, and chat clients, along with general internet access (through Firefox, not IE). I just figured that, instead of locking down the programs that can be used, I could prevent it in the future as well by taking away the part that makes it so alluring - internet access.
 
Using a VBscript logon script and netsh you should be able to write something that will set the IP address to a garbage value based on their username. Assuming they are non-administrators, they shouldn't be able to change it to something useful. Here is a sample bit for the netsh command that I stole from the internet:

Code:
netsh interface ip set address name="Local Area Connection" static 192.168.0.100 255.255.255.0 192.168.0.1 1

As far as the VBscript goes, you'd need to do a little checking (I usually find and modify existing scripts for my needs), but I think something like this would work (using correct syntax, of course.

Code:
get username
if username = blocked names
then run netsh junkdata
else run netsh good data
end if

Hope this helps, or at least gives you a better idea for implementation.

::edit::
you could also use this with the net start and net stop commands to stop the services that allow internet access, and then just make sure they can't mess with the services manually.

 
Set the proxy settings in IE to point to somewhere bogus. You can then to a registry merge to grey out the proxy settings for that user. Google it, it like AdminLockOut or something. I did this for a few computers at work.
 
BuGaLoU said:
Set the proxy settings in IE to point to somewhere bogus. You can then to a registry merge to grey out the proxy settings for that user. Google it, it like AdminLockOut or something. I did this for a few computers at work.
banGerprawN said:
Editing IE proxy information for each user to point to a non-existent proxy, and then editing their security rights so they cannot change proxy settings is not an option, because I need to stop other programs (not just IE) from accessing the Internet.
uzor said:
Using a VBscript logon script and netsh you should be able to write something that will set the IP address to a garbage value based on their username. Assuming they are non-administrators, they shouldn't be able to change it to something useful. Here is a sample bit for the netsh command that I stole from the internet:
Code:
netsh interface ip set address name="Local Area Connection" static 192.168.0.100 255.255.255.0 192.168.0.1 1
As far as the VBscript goes, you'd need to do a little checking (I usually find and modify existing scripts for my needs), but I think something like this would work (using correct syntax, of course.
Code:
get username
if username = blocked names
then run netsh junkdata
else run netsh good data
end if
Hope this helps, or at least gives you a better idea for implementation.
Fucking perfect. I didn't even think of that. If this was a place like experts exchange, I'd give you the points
lol.gif

uzor said:
::edit::
you could also use this with the net start and net stop commands to stop the services that allow internet access, and then just make sure they can't mess with the services manually.
Can't do that, unfortunately. It disconnects the router from the other users if they're logged on at the same time, and a restart seems to be required to get it going again :confused:. Very odd.
 
banGerprawN said:
Fucking perfect. I didn't even think of that. If this was a place like experts exchange, I'd give you the points
lol.gif

Glad to be of assistance. If/when you get it running, I'd be interested in seeing your completed script if you're willing to share.

A bit offtopic: Assuming you are a subscriber/member/whatever to experts exchange, how much is it and is it worth it? I get hits from them all the time when researching various windows problems, but I can't bring myself to pay for their site to get an answer for my question...it seems like holding the info hostage or something. Bad mojo.

 
uzor said:
Glad to be of assistance. If/when you get it running, I'd be interested in seeing your completed script if you're willing to share.
I'll put it up for sure.
A bit offtopic: Assuming you are a subscriber/member/whatever to experts exchange, how much is it and is it worth it? I get hits from them all the time when researching various windows problems, but I can't bring myself to pay for their site to get an answer for my question...it seems like holding the info hostage or something. Bad mojo.

I'm not a member, so I have no idea whatsoever. I get plenty of hits from there as well when googling. The members seem pretty knowledgeable. It's helped me more than a few times...
 
uzor said:
If/when you get it running, I'd be interested in seeing your completed script if you're willing to share.
Well, I didn't quite follow your suggestion (VB scripting = PITA), but I did come up with an alternate way to do this, and it's ultra-simple and works perfectly.
Basically, I used the IP Security policy that I'd already created that blocked all outgoing and incoming ports, assigned it (made effective), and then created 2 batch files. One was to start the IPSEC service, and the other was to stop it. This is done with the following code :

Starting IPSEC
Code:
@echo off
net start PolicyAgent
exit
Ending IPSEC
Code:
@echo off
net stop PolicyAgent
exit
The "Start IPSEC" batch file was placed in a start-up folder for the limited user(s) (or alternately started from the logon-script of the specific user/group, or also started using registry entries, whatever fills your doughnut), and the "Stop IPSEC" was started every time an unrestricted user logged on.
I then edited the security policy for the limited users/group, so that they were unable to edit the registry (deleting start-up services), or to end any type of service.
Since the IP Security policy is controlled by the PolicyAgent service, and this computer is not used as a router/server/etc, killing the IPSEC service allows unrestricted internet access.
Simple!


Thanks for the
uzor said:
::edit::
you could also use this with the net start and net stop commands to stop the services that allow internet access, and then just make sure they can't mess with the services manually.
suggestion here, it's what got me thinking of the services way, only instead of just stopping the WAN services, I worked backwards and started services to block, ended services to unblock, etc, etc.
 
Back
Top