blocking access users to website

[Lus]

hi

i wana limit some computer to deny accessing website by useing GPO.

is any imposible way by configuring "windows Firewall" via GPO for denying access to web site ?

i think this configuration must denying user to connecting to web servers :

----------GPO------------

Windows Firewall = protect all network connection \ enable

windows firewall = define program exceptions --- adding software with Scope --->

program path : %program files%\internet explorer\iexplorer.exe

Scope : 192.168.0.1(gateway address)

windows firewall : do not allow exceptions \ enable

-----------------------

any idea ?

[berrick]

There are various ways perhaps you could achieve this different methods will depend on your network and complexity. One way if say using Cisco routers would be to use extended ACL's that way you could block on protocol, ports source/destination IP etc. Another way if these clients dont need to get off the local network could be to remove the default gateway and use a host file to block cerian url's for example

127.0.0.1 www.doubleclick.net

and use GPO to stop the users changing the local computers tcp/ip settings.

another way is to use configure IPSec policy using ip filtering i have never done this so dont know how flexible it is. It would certianly block all trafic to and from a client! Try searching for more info if these topics are of interest. If you dont get any where let me no and i will see if i can find any links to do with the IPSec bit

[Hamins]

I want to do somethng similar to this.

I want to deny users access to all website except a few. Is there any way of doing this through Windows2003 ?

Edited August 13, 2005 by Hamins

[chilifrei64]

GPO is not the way to go for this one guys.. your best bet is to get a linux box and set it up as a proxy server.. this will allow you to configure web filtering to your liking...

Proxy servers are not easy to configure and it may take some time.. but GPO was not meant for web filtering and you will probably have a much harder time working with GPO than you will with a Proxy server

[Hamins]

Chilifrie, I understand what you're trying to say. However, I want to know if it's possible at all, or not ?

[Hamins]

Chilifrie, I understand what you're trying to say. However, I want to know if it's possible at all, or not ?

[chilifrei64]

The only thing you can do with GPO in terms of filtering is deploying it through content advisor but that will not do what you are asking it to do.. this will only filter based on content and not specific sites.. also.. sites that dont put content adivsor tags in their page will not work either and since this is mainly MS filtering.. not many people do.. So no..

Now this is not saying that it isnt possible.. BUT.. GPO was not built with web filtering in mind and there is no procedure in place to set this up BUT.. GPO is very powerful and if you get crazy enough with it it can probably be done, however i dont see how.

[berrick]

As i said earlier I'm sure it is possible to use the built in IP filtering to setup ipsec which can be controled via gpo..... BUT i havent tried it and not sure how difficult it would be to do/administor

[Lus]

thanks guys

i used ICS for deploing internet over my network now i am useing NAT solution. i install Kerio Winroute 6.

advantage NAT technology with kerio

- permit or deny group of user or computers (with ip) to access to internet

- centeral location for manageing internet access wihtout change GPO

- web filtering

- u can configure Kerio so each user have an accout for access to internet

any better idea ?