2Tall Posted November 8, 2007 Share Posted November 8, 2007 I would like to deny a group of computers access to the Internet. Why? The Computers in question are used internally for testing hardware and do not require Internet Access (I do not want to use a Anti Virus license) although they do require access to the corporate LAN.I have a domain local security group to which I have added the computers. I have added this group to the GPO filter.I have manually configured the Proxy Settings on the affected computers and have then simply hidden the connections tab via group policy (Computers). However this is not bullet proof and only applies to IE. Are there any custom GP templates I could install to assist, or does anyone have advice on how I can acheive my goal?Many Thanks,Phil. Link to comment Share on other sites More sharing options...
eyeball Posted November 8, 2007 Share Posted November 8, 2007 can you give the computers a default gateway that doesnt exist and get around it that way? Link to comment Share on other sites More sharing options...
touchstone_81 Posted November 11, 2007 Share Posted November 11, 2007 Blocking internet access may be better achieved using a firewall rather than AD. But if you dont happen to have a well protected firewall you could still block http traffic by using IPSEC policies in gpedit.Step 1 -- set up a filter list defining any traffic originating from the workstations in question to any IP at port 80(port 443 for ssl), step 2 -- setup a block filter action and finally create an ip security policy linking the filter list and actions. After that all that remains to be done is to assign the policy and wait for it take effect or do a manual refresh if you are the impatient type.remember this will block access to any intranet websites operating on port 80 otherwise they should be fine.One way to get around this is to set up a another filter list with a permit action for a particular intranet webserver.Note: If you are using a proxy to go through to the internet then the rule you set up must block all destination traffic to the proxy server port.eg: 9090 Link to comment Share on other sites More sharing options...
2Tall Posted November 11, 2007 Author Share Posted November 11, 2007 Thanks for the replies, I will have a look into the IPSEC Policy. Another guy has mentioned Local Loop Back so that is something else to look at.Many Thanks,Phil. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now