+ Post New Thread
Results 1 to 13 of 13
Windows Thread, Disable Internet for a group of PCs in Technical; Hello all, At the moment I seem to be asked this question every month! Here's how I do it using ...
  1. #1

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340

    Thumbs up Disable Internet for a group of PCs

    Hello all,

    At the moment I seem to be asked this question every month! Here's how I do it using Windows Server 2003 Group Policies!

    Wherever your workstations are located in your domain structure, create another sub OU, so for example:

    Root - Curriculum
    Sub - Pupils
    Sub - ICT Suite
    Sub - Classrooms
    Sub - Block Internet

    Create another sub OU called Block Internet. Within this OU create a new GPO. Call that Block Internet too.

    Now navigate to: Computer Config > Windows Settings > Security Settings > Software Restriction Policies.

    For the first time, right click Software Restriction Policies and choose New Software Restriction Policies. Double click Additional Rules. Right click in an empty space and choose New Path Rule

    Enter the path: C:\Program Files\Internet Explorer\iexplore.exe, choose Disallow from the drop down menu and in the description put Block IE.

    Now move the relevant Computer objects into this OU. The workstations will either need to be restarted a few times, or use gpupdate /force from the Run menu and then restart.

    This should block every attempt at connecting to the web by any user and doesn't require any scripts or third party utilities.

    I hope you find this useful. Maybe you do things differently? Care to share?

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,955
    Thank Post
    886
    Thanked 1,700 Times in 1,477 Posts
    Blog Entries
    12
    Rep Power
    448
    Is this based on computers or users?

  3. #3

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    This is based on Computer Config, so yes computer level.

  4. #4


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,691
    Thank Post
    352
    Thanked 796 Times in 715 Posts
    Rep Power
    347
    Computers.

  5. #5

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    If you wanted to stop internet access at user level, this is more straight forward. Just enter false proxy server settings where you'd normally specify your proxy.

  6. #6
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,342
    Thank Post
    9
    Thanked 305 Times in 214 Posts
    Rep Power
    100
    Wont this stop the intranet ? and all other departmental resources that use IE ? (We use a few metro electro stuff like listos)

    How does this stop students using the portable version of firefox or any other browser on a USB ? (They can and do find the correct proxy if you tempt them to use another browser ... and they have learned to place it in locations to bypass the SRP).

    If only they used such energy for there work !! or give a little to staff so that they can teach !! (another story).

  7. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    If you have applications which use IE, then of course they won't work. As for Firefox, this isn't there by default, but there's nothing stopping you adding other software restriction policies to stop Firefox from running.

    The one thing I dislike about FF (excluding FF 1.0) is you cannot control it via GPO, which is why I don't use it in my networks. This also means you cannot restrict users changing advanced properties such as proxy settings. It's all bad news.

  8. #8
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,342
    Thank Post
    9
    Thanked 305 Times in 214 Posts
    Rep Power
    100
    Install the firefox template into AD, then you can control firefox within group policy.

  9. #9

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Install the firefox template into AD, then you can control firefox within group policy.
    FireFox 1.x you can, but as far as I am aware FF 2.x and FF 3.x you can't. If you know of a way though, let me know

  10. #10
    Grommit's Avatar
    Join Date
    Sep 2006
    Location
    Weston-super-Mare
    Posts
    1,335
    Thank Post
    31
    Thanked 54 Times in 31 Posts
    Rep Power
    25
    What happens if the students know they can use Explorer to access the internet ?

  11. #11
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    40
    If you have an ISA server it is very easy to ban groups of users or machines from external Internet. Just create a security group in AD add machines or uses to the group then create a deny Internet rule on the ISA server. Adding machines or users is also scriptable and could be created for each set of computers, for example you can create a script to insert 30 comps all from one room via a script place the shortcut where a teacher has access to it, also a script to remove comps once finished.
    Last edited by jsnetman; 15th July 2008 at 07:08 AM.

  12. #12

    Join Date
    Jul 2008
    Posts
    4
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    You might want to look at FrontMotion's Firefox Community Edition
    for a version of firefox with full gpo control!

  13. #13

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    What happens if the students know they can use Explorer to access the internet ?
    It still won't work though. If you follow my first post, open up My Computer and type Google you'll get a message about Software Restriction Policies.

    If you have an ISA server...
    I agree, but I don't have an ISA server!

    ...for a version of firefox with full gpo control!
    It's a great effort by the looks of things, but I'd still be reluctant simply because a lot of modifications have had to be made to get things to work. It appears FF 3.x would also need to be modified. I'm quite happy with IE7, it works, it's manageable and easily patchable through WSUS.

SHARE:
+ Post New Thread

Similar Threads

  1. Enable/Disable workstation internet access from shortcut
    By the_mighty_boosh in forum Netware
    Replies: 3
    Last Post: 28th January 2011, 09:34 AM
  2. Remote Access to LAN PCs over Internet
    By Asif in forum Network and Classroom Management
    Replies: 15
    Last Post: 5th September 2009, 08:56 PM
  3. Disable the autocorrect options in group policy
    By Liam in forum How do you do....it?
    Replies: 2
    Last Post: 24th October 2007, 12:49 PM
  4. Disable network logon for a Security Group or an OU
    By mrforgetful in forum Wireless Networks
    Replies: 10
    Last Post: 28th June 2006, 04:13 PM
  5. Disable Internet using Groups
    By mattpant in forum Wireless Networks
    Replies: 17
    Last Post: 1st December 2005, 11:26 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •