[Forefront TMG]Restricting network access
I am on holiday at present but I am sure I will need to set this up when I get back. So I'm doing some advance homework.
I am looking to restrict network access to certain logins, in particular, restricting internet access.
Our new Windows network is using Forefront TMG as firewall. It is not part of the domain but does have access to a RADIUS server - currently for VPN use.
Our new clients are Windows 7 but many teachers machines will be Win XP. I know from previous experience that some of the old school XP machines could not run SP3 (or was it SP2?) due to video card issues, so lets assume, any solution should work for Windows XP SP1.
Currently the school, office and IT LANs route through a Windows 2008R2 server using RRAS LAN routing. The Forefront TMG firewall is on the IT LAN, but out of the active server domain. I see from the Forefront documentation that creating access groups on a per user basis will slow things down - plus, I assume that authentication will be an issue with Forefront being in DMZ. So I assume that using TMG to filter on per user basis is not a solution.
I guess that I can create a per user group GPO that sets the IE proxy to something benign (localhost?) but I would rather have a network based solution.
But the LAN routing Windows 2008R2 machine seems a good central point for restricting network usage. Is there anything that can possibly be done here, maybe with RRAS, NPS, IPSEC or the firewall?
I think what the teachers will be asking for is a classroom PC that when logged in with a generic 'Classroom' username within little or no password protection, will not provide any network access for the user, except to the intranet for email and taking the register. Just like it use to be in the old days, when the school had no network security other than disconnecting it from the LAN and teachers didn't use email or take the register electronically.
Thanks in advance