LinkBack URL
About LinkBacksI reckon he's just logged on as someone else...
I reckon he's just logged on as someone else...
I create a sub OU (not internet access) with a new GPO and enter false proxy server settings. then under User Config/Admin Template/System/Don't Run Specified Windows Applications (add iexplore.exe, firefox.exe and firefoxportable.exe) to the list.Originally Posted by jcollings
Also make sure that the user cannot logon if their profile fails to load (ie student may remove network cable during logon so that GP settngs are not applied) Comp Settings/Admin Templates/System/User Profiles/ Log User off when roaming profile fails
Get a proxy that allows you to block usernames.
Use a software restriction on an OU to deny Internet Explorer (This will only work well with IE7 as there are ways around it with IE 6) then pop the users in there.
Set up the logon scripts so you know when a particular user has logged on so you can observe them remotely to see what they are upto.
Like you, we have a domain group called "Webdeny" and proxy settings set at the machine and user level.
However we have an ISA2004 server sat up on the edge of the network and seperating us from our RBC (the RBC hates it being there, as it stops them coming in when they want, but after they transmitted the Blaster worm or whatever it was to us in the summer of 2003 they just can't be trusted!)
Members of the group webdeny are banned from going out onto the web by a rule on the ISA server unless it is for specific sites - we operate a whitelist of sites always used for educational purposes (such as mymaths.co.uk) so the naughty students are restricted from general internet use but can still do their work.
Works well enough for us - they hate the fact that they can't get around it: they can run what they like on the PC, be it Firefox from a USB stick or IE, but the proxy just won't let them through if they've been bad boys or girls.
I'd be inclined to agree with gwendes, we've had this before when we were asked to block someone from the internet only to find that they already were.
We do our banning with Policy Central which can be told completely block IE, both the executabe and then all websites even if you did somehow get past not having a browser.
On connecting to the room with netsupport we found the same user logged onto 3 machines
We have an OU that denies internet access - the whole school is going into it Friday morning because I'm pissed off with staff allowing the kids to do nothing but surf the net and look at rubbish all week.....
:-)
i like your thinnking tech guy.
im going to filter out all flash content!
Same here, OU with no IP in the proxy settings for the naughty blighters. I am also fed up of staff letting kids play games, etc, and may also drop the enitre school into the OU, we've already had one TFT smashed as someone got frustrated at losing his game.......... Dread to think how many mice have been trashed by bored kids :twisted:
No he wasn't - that was the first thing I checked.
Finally figured it (I think) - something to do with CLEO set up we'd just implemented whereby an auto config their end simply checks for our proxy and if it doesn't find it drops them out to their proxy - so we'd put bogus details in using script etc and the CLEO bit says "oh that isn't the right setting - have ours" thus giving them a route out. Sorted it now.
On another note if I specify a GP to stop IE running why is it that Microsoft seem to think that only means by clicking the icon so they can still call it via Excel macro for example!??!
Hmm, that made me wonder if the kiddiewinks can avoid blocks on iexplore.exe by doing:
Data > Import External Data > New Web Query
and browsing in that window instead. It seems to render using IE and will display Flash content. No right-click menu on web pages, but otherwise it seems unrestricted.
Where possible it seems to make more sense to block them on the proxy.
Also, might it be an idea to move this thread into security?
Some of the indirect ways of running of running IE have it run as system which can bypasses certain things. This is apparently improved with IE 7.
jcollings..
Run GPResults to make sure that the proxy settings are still being applied to the security group.
If you have GPMC installed it should tell you what GPO is being applied..
We use SchoolGuardian and have a security group called G No Internet which blocks internet access to members of that group
How do you apply the policy - are the users moved to another (sub-)OU or is the GPO set to only apply to the security group?
We have a similar setup for denying USB drives where we have SUb-OU's in each Year's OU called "No Drives" - a GPo is then attached to this Sub-OU to disable pen drives and the "Enforced" flag is set..
Craig.
On connecting to the room with netsupport we found the same user logged onto 3 machines
Have a look at CConnect on the Windows server resource kit if you get a mo.
We use this to restrict the maximum number of concurrent logons that will be accepted for any one student user ID.
It also comes with a handy admin front end that shows you where the little scamps are logged on, and allows you to remotely log them off too.
Other than LimitLogin - is there a non RM equvelant to this?On connecting to the room with netsupport we found the same user logged onto 3 machines
Have a look at CConnect on the Windows server resource kit if you get a mo.
We use this to restrict the maximum number of concurrent logons that will be accepted for any one student user ID.
It also comes with a handy admin front end that shows you where the little scamps are logged on, and allows you to remotely log them off too.
Wow, just tried this (as we wanted to block a couple of little darlings from all web activity due to misuse while letting the rest carry on) - works perfectly. Nice one. I thought this'd be a huge operation, but all i need to do is drop them into the sub OU that denies the above - sweeeeet.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote