Preventing Internet Explorer Access

Actually, this is very easy to accomplish. Through Group Policies, define
the users/groups that you don't want to have internet access using standard
installed applications (IE, OE, etc.) and assign a proxy server address of
127.0.0.1 under the Internet Explorer restrictions on a per-user/group
basis. Using the default settings, all installed Windows apps use the IE
settings, so they'll all fail to connect. If you further restrict access to
Internet Options and Registry Editing tools, they'll be unable to easily
change this setting.

Its not as "all encompasing" as a 3rd party solution would be, or even using
an Internet Access Server, where you can literally control access using
Windows based authentication, but it will stop the casual user from gaining
access.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart
Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Lanwench [MVP - Exchange]"
<lanwench.DeleteThis@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:eN8tXyW2IHA.5512@TK2MSFTNGP06.phx.gbl...
> SD <sushidot.DeleteThis@gmail.com> wrote:
>> Hello-
>>
>> I was wondering the best way to prevent internet access using onboard
>> resourses in windows other than having to put on third part software
>> to prevent internet explorer access.
>
> Not really. Internet Explorer itself isn't the issue. You're talking about
> blocking *internet* access.
>>
>> For example...can this be done with a group policy that is global
>> throughout the domain?
>
> Not really. You *could* ensure that the workstations in question are not
> given a default gateway in their IP config, but that is very clumsy at
> best.
>
>> Could I maybe password enable attempts to
>> access IE ?
>
> No, and that wouldn't give you the results you wish, honestly.
>>
>> Reason I ask is the web is the only thing I am interesting in
>> blocking...but if we block its port entirely with 3rd party..it gets
>> annoying to have to configure each workstation that way ... etc...
>
> Do this in your perimeter firewall appliance (deny LAN->WAN for your
> workstation range of IP addreses) or get a proxy server or use ISA. That's
> the best way to handle this.
>
 >> Stay informed about: Preventing Internet Explorer Access 

Where I work, it depends on the Windows login what groups of sites we
can visit. Our traffic is being monitored by a proxy that checks the IP
and windows login to check if we can access certain sites.
LOL...and the weird thing is that I can't even access the ALLOWED
sites.. like glitnir.is and landsbanki.is (banks).
Weird right? =D

Doug Knox - [MS-MVP] wrote:
> Actually, this is very easy to accomplish. Through Group Policies,
> define the users/groups that you don't want to have internet access
> using standard installed applications (IE, OE, etc.) and assign a proxy
> server address of 127.0.0.1 under the Internet Explorer restrictions on
> a per-user/group basis. Using the default settings, all installed
> Windows apps use the IE settings, so they'll all fail to connect. If
> you further restrict access to Internet Options and Registry Editing
> tools, they'll be unable to easily change this setting.
>
> Its not as "all encompasing" as a 3rd party solution would be, or even
> using an Internet Access Server, where you can literally control access
> using Windows based authentication, but it will stop the casual user
> from gaining access.
>

--
Alias: Simzon
Age: 19
M$ Tech Status: Newbie =)
 >> Stay informed about: Preventing Internet Explorer Access 

Doug Knox - [MS-MVP] wrote:
> Actually, this is very easy to accomplish. Through Group Policies,
> define the users/groups that you don't want to have internet access
> using standard installed applications (IE, OE, etc.) and assign a proxy
> server address of 127.0.0.1 under the Internet Explorer restrictions on
> a per-user/group basis. Using the default settings, all installed
> Windows apps use the IE settings, so they'll all fail to connect. If
> you further restrict access to Internet Options and Registry Editing
> tools, they'll be unable to easily change this setting.
>
> Its not as "all encompasing" as a 3rd party solution would be, or even
> using an Internet Access Server, where you can literally control access
> using Windows based authentication, but it will stop the casual user
> from gaining access.
>


Does the IEAK (Internet Explorer Administration Kit) manage something
like this?

Does Microsoft have a tool for managing Group Policies besides the one
in the Control Panel? I remember reading about something like that but
just can't remember the name of the program. I think it is in the
Resource Kit.

I need to lock down some PCs used in a turnkey application to allow only
administrators to use any other programs besides the application itself.
 >> Stay informed about: Preventing Internet Explorer Access