Disable Internet for a group of PCs

[Michael]

Hello all,

At the moment I seem to be asked this question every month! Here's how I do it using Windows Server 2003 Group Policies!

Wherever your workstations are located in your domain structure, create another sub OU, so for example:

Root - Curriculum
Sub - Pupils
Sub - ICT Suite
Sub - Classrooms
Sub - Block Internet

Create another sub OU called Block Internet. Within this OU create a new GPO. Call that Block Internet too.

Now navigate to: Computer Config > Windows Settings > Security Settings > Software Restriction Policies.

For the first time, right click Software Restriction Policies and choose New Software Restriction Policies. Double click Additional Rules. Right click in an empty space and choose New Path Rule

Enter the path: C:\Program Files\Internet Explorer\iexplore.exe, choose Disallow from the drop down menu and in the description put Block IE.

Now move the relevant Computer objects into this OU. The workstations will either need to be restarted a few times, or use gpupdate /force from the Run menu and then restart.

This should block every attempt at connecting to the web by any user and doesn't require any scripts or third party utilities.

I hope you find this useful. Maybe you do things differently? Care to share?

[FN-GM]

Is this based on computers or users?

[Michael]

This is based on Computer Config, so yes computer level.

[kmount]

Computers.

[Michael]

If you wanted to stop internet access at user level, this is more straight forward. Just enter false proxy server settings where you'd normally specify your proxy.

[Galway]

Wont this stop the intranet ? and all other departmental resources that use IE ? (We use a few metro electro stuff like listos)

How does this stop students using the portable version of firefox or any other browser on a USB ? (They can and do find the correct proxy if you tempt them to use another browser ... and they have learned to place it in locations to bypass the SRP).

If only they used such energy for there work !! or give a little to staff so that they can teach !! (another story).

[Michael]

If you have applications which use IE, then of course they won't work. As for Firefox, this isn't there by default, but there's nothing stopping you adding other software restriction policies to stop Firefox from running.

The one thing I dislike about FF (excluding FF 1.0) is you cannot control it via GPO, which is why I don't use it in my networks. This also means you cannot restrict users changing advanced properties such as proxy settings. It's all bad news.

[Galway]

Install the firefox template into AD, then you can control firefox within group policy.

[Michael]

Install the firefox template into AD, then you can control firefox within group policy.

FireFox 1.x you can, but as far as I am aware FF 2.x and FF 3.x you can't. If you know of a way though, let me know

[Grommit]

What happens if the students know they can use Explorer to access the internet ?

[jsnetman]

If you have an ISA server it is very easy to ban groups of users or machines from external Internet. Just create a security group in AD add machines or uses to the group then create a deny Internet rule on the ISA server. Adding machines or users is also scriptable and could be created for each set of computers, for example you can create a script to insert 30 comps all from one room via a script place the shortcut where a teacher has access to it, also a script to remove comps once finished.

[wire]

You might want to look at FrontMotion's Firefox Community Edition
for a version of firefox with full gpo control!

[Michael]

What happens if the students know they can use Explorer to access the internet ?

It still won't work though. If you follow my first post, open up My Computer and type Google you'll get a message about Software Restriction Policies.

If you have an ISA server...

I agree, but I don't have an ISA server!

...for a version of firefox with full gpo control!

It's a great effort by the looks of things, but I'd still be reluctant simply because a lot of modifications have had to be made to get things to work. It appears FF 3.x would also need to be modified. I'm quite happy with IE7, it works, it's manageable and easily patchable through WSUS.