Windows Server 2003/2008 Group Policy Question

Discussion in 'Networking & Security' started by AMD_RULES, Sep 9, 2008.

  1. AMD_RULES

    AMD_RULES 2[H]4U

    Messages:
    3,013
    Joined:
    Mar 26, 2007
    I do not have a network at work (yet) but I was wondering how and if there is a way that you can disable an internet browser usage on a specific user group, but that user group can still access the internet for software that requires the internet?

    Thanks :)
     
  2. vage

    vage 2[H]4U

    Messages:
    3,052
    Joined:
    Jan 10, 2005
    you can block HTTP traffic, the software you are running shouldn't need that port.
     
  3. xphil3

    xphil3 [H]ard|Gawd

    Messages:
    1,212
    Joined:
    Nov 11, 2005
    The right way to do this, if you want to use GPO's is to use proxy redirection, force everyones browser to some bogus proxy. Done.

    If you don't want to go this route, you can always block at the network device as well, block all port 80 traffic, you can add bogus DNS servers through DHCP and not allow network config changes through GP. Theres a lot of different ways to do what you want to do :)

    personally idd just block at the edge, but if you want to use GPO go with the bogus proxy redirection.
     
  4. AMD_RULES

    AMD_RULES 2[H]4U

    Messages:
    3,013
    Joined:
    Mar 26, 2007
    Here's the senario. There are a total of six users on the network. Three will have full Admin accounts. The other three accounts need to be setup so that they cannot surf the web, but the "electronic claim" feature of the software can get to the internet. (Medical office)

    Is there anyway to "disable" Internet explorer on the group policy? I would like to have IE installed on the physical machine, just certain users not able to use/access it.
     
  5. priteshvarsani

    priteshvarsani Limp Gawd

    Messages:
    157
    Joined:
    Jul 11, 2007
    Set up a null proxy in internet explorer through a few GPO's, and hope that the medical software does not use the IE settings. Thats the lazy way.

    Check through all of the group policies, otherwise make your own policy template (i did this before, it werent easy to say the least)
     
  6. xphil3

    xphil3 [H]ard|Gawd

    Messages:
    1,212
    Joined:
    Nov 11, 2005
    again, read my post. I outlined it nicely.

    http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1099219,00.html
    ^ google is your friend :D;)
     
  7. marley1

    marley1 [H]ardness Supreme

    Messages:
    5,448
    Joined:
    Jul 18, 2000
    yeah i fucked around with the null proxy on a few tests machines, i do not think its the "right" way but it would do what you want it too.
     
  8. marley1

    marley1 [H]ardness Supreme

    Messages:
    5,448
    Joined:
    Jul 18, 2000
    could also do it with a firewall that has AD support, then u can block users to websites etc.
     
  9. AMD_RULES

    AMD_RULES 2[H]4U

    Messages:
    3,013
    Joined:
    Mar 26, 2007
  10. xphil3

    xphil3 [H]ard|Gawd

    Messages:
    1,212
    Joined:
    Nov 11, 2005
    Try it out for yourself and see ;). No, if you put set your browser to use a proxy server and put all zeros for the IP address, you can't go anywhere.
     
  11. metallicafan

    metallicafan [H]ard|DCer of the Month - May 2010

    Messages:
    2,195
    Joined:
    Mar 30, 2005
    Yeah the bogus proxy will work. If memory serves in the GPO you can set exceptions as well. So if you want to block most internet traffic for all of them but still allow them to get to a specific site or intranet site then you can allow that.