Windows Server 2008 R2 Thread, Restricting internet in one computer lab but retaining server access in Technical; Once again I need your zen like experience people.
There are 8 computer labs/rooms in the college. We have a ...
Restricting internet in one computer lab but retaining server access
Once again I need your zen like experience people.
There are 8 computer labs/rooms in the college. We have a Server 2008R2 domain controller for AD, DHCP and DNS and Untangle Lite running on another HP server doing the filtering. The Untangle boxes takes a feed from the internet router into one network card and is connected to the main network through a second network card.
There is an exam on Saturday morning and the students will need to save data to their home folders for later collection by the teacher and they will also need to print to the lab printer which is done through the server.
However, they can't have internet access.
Is there a way through group policy to isolate this computer lab so it doesn't have internet access but does have normal domain/network access while leaving the other labs alone? This is a part time course exam so it is the only one on in the college at that time. I know I could just unplug the router but the daytime/fulltime exams are coming up in a couple of weeks and I will have to do the same for some of them.
I read somewhere else that you could change the gateway that the server puts out in DHCP but this would affect all computers....or is there a way to change the DHCP settings for one set of computers? I didn't think so but then again I'm not qualified in servers, just teaching myself as I go along and certain things are needed.
I also read somewhere that I could use GP to put a random proxy into IE but Firefox may be on some of the PCs or Chrome so if I change the policy for IE would any other browser automatically pick up on that?
If your using DHCP on 2008 R2 you could make all the machines reservations then just put a fake IP address for the Gateway. Within DHCP right click the machine and Create Reservation. Once reservation is set you can then change the options to look at a fake gateway.
I'm assuming that each lab is in its own OU in active directory, but wouldn't the easiest solution be to create a group policy that sets the proxy to an IP that doesn't exist on the network? (Or 127.0.0.1).
That way the machines would still have access to everything on the network (you could even allow intranet pages if you wished by making them a proxy exception).
Edit: Actually as I write this I do realise the problem - this would only really affect IE, so if you're using firefox or anything else and they're NOT set to "Use system settings" for the proxy then they would still work...
can you how? just had a quick look and i cant see how
In 2008 R2 DHCP msc, Right click lease in address leases > Click on add to Reservation. Then open Reservations and in left pane right click the reservation that you made and click configure options. Jus change the gateway ip address.
Create a new GPO with duff proxy settings and create a software restriction policy to prevent IE, Chrome and FF from running. Prepare and test in advance and all should be fine.
Ideally all workstations in the Computer Lab in question should be under one OU, then you can link the newly created GPO to that.
Thanks Michael, sorry for delay in thanking you, had a busy week and only getting a chance to implement this now. I will try your suggestion of preventing browsers from running. I know there are other browsers but those three are the only ones installed and as students can't install anything I think that should cover it.
I'll let you know if it works. Here I am at 4pm trying it out...typical
Its something I thought of alright but I would rather something that is turn on and offable to quote a famous turtle so I'm going to try Michael's solution. Plus at 4 pm the day before the exam a quick solution through GP is handiest for now.
Thanks Davitt, that sounds like and interesting solution and not something I was aware of. I might give that a try the next time but as the GP solution from Michael is something I'm a little familiar with I'll try that for now.
Thanks for the suggestion and I'll let you know how it goes if I get around to trying it.