restricting user internet access

[rfraser08]

i want to create a user account that has no access to the internet. not through a browser, not through a peer to peer, not through email; NONE! i want it to be like i unplugged my ethernet cord.

i've tried many solutions: messing around in windows console, playing with device manager, downloading microsft ttolkits, but i haven't had anyluck. someone please help. thanks

[Gouki]

Follow this guide. You can deploy it using GPO's.

[prathapml]

Gouki, I read that article and it doesn't quite seem to do the above.

IPsec applies for the entire computer (all users).

The above post wants a way to restirct a specific user account from accessing the internet!

[Gouki]

Ohhh ... Ok. I thought every single user had his computer, therefor, prohibiting the computer would be prohibiting the user (unless he goes to other computer and signs in using his credentials.)

Thanks for the heads up prathapml. Take care.

[FAT64]

I would have thought that most "proxy" programs could do this for you. CCProxy, for example.

[cyberpyr8]

I have restricted users from IE (and other apps) by just allowing program access to certain users. I had one PC where user John was denied access to the iexplore.exe. That way whenever he logged in John could not open IE. All other logged in users could. You could apply this method to Outlook Express and Messenger as well. The best part is that everyone but the users you deny can still use those applications. You need to be sure you are running NTFS on the drive.

Edited March 20, 2006 by cyberpyr8

[FAT64]

I have restricted users from IE (and other apps) by just allowing program access to certain users.

The problem with that method is all the changes you have to make for each program which accesses the Internet, and what if you want to allow access, you have to undo those changes and then put them back again.

You method would be more efficient if you used "groups" and not individual users, that way access is done by group membership and not by individual NTFS permissions.

[cyberpyr8]

I have restricted users from IE (and other apps) by just allowing program access to certain users.

The problem with that method is all the changes you have to make for each program which accesses the Internet, and what if you want to allow access, you have to undo those changes and then put them back again.

You method would be more efficient if you used "groups" and not individual users, that way access is done by group membership and not by individual NTFS permissions.

True. I usually use groups when I am in a domain environment. Either way this is an effective method of preventing user from getting to the Internet. The only thing you have to make sure of is that they don't bypass it by downloading some other browser (firefox or Opera ect.) and surf using them. I have gone as far as giving read only permissions to the users for the Program Files directory. This prevents any installs. Then I allow only members of my IT staff the permission to have RW access to that folder so they can install software. This prevents the users from freely installing software. They have to call us to install apps.

[prathapml]

Well, its easy enough for even those restricted users to install opera/firefox in their desktop/mydocs folder!

Moreover, the original poster wants a way to block the internet COMPLETELY - not just iexplore or msnmsgr..... Even ping.exe should not be able to access!

And when you want to block inet access comprehensively, its hard work to keep looking into & changing permissions of 40-odd executables/DLLs.

[cyberpyr8]

I wonder if there is a way to remove the default gateway when a certain user logs in? That would allow them to the local LAN but stop them completely from going across the router.

[cyberpyr8]

There is a way to do this. Just disable the default gateway for the user and that will stop all routed traffic. In a login script for that user only use the following:

from http://www.petri.co.il/configure_tcp_ip_from_cmd.htm

How can I configure TCP/IP settings from the Command Prompt?

In order to configure TCP/IP settings such as the IP address, Subnet Mask, Default Gateway, DNS and WINS addresses and many other options you can use Netsh.exe.

Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh.exe also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer. Netsh.exe can also save a configuration script in a text file for archival purposes or to help you configure other servers.

Netsh.exe is available on Windows 2000, Windows XP and Windows Server 2003.

You can use the Netsh.exe tool to perform the following tasks:

Configure interfaces

Configure routing protocols

Configure filters

Configure routes

Configure remote access behavior for Windows-based remote access routers that are running the Routing and Remote Access Server (RRAS) Service

Display the configuration of a currently running router on any computer

Use the scripting feature to run a collection of commands in batch mode against a specified router.

What can we do with Netsh.exe?

With Netsh.exe you can easily view your TCP/IP settings. Type the following command in a Command Prompt window (CMD.EXE):

netsh interface ip show config

With Netsh.exe, you can easily configure your computer's IP address and other TCP/IP related settings. For example:

The following command configures the interface named Local Area Connection with the static IP address 192.168.0.100, the subnet mask of 255.255.255.0, and a default gateway of 192.168.0.1:

netsh interface ip set address name="Local Area Connection" static 192.168.0.100 255.255.255.0 192.168.0.1 1

Netsh.exe can be also useful in certain scenarios such as when you have a portable computer that needs to be relocated between 2 or more office locations, while still maintaining a specific and static IP address configuration. With Netsh.exe, you can easily save and restore the appropriate network configuration.

[prathapml]

But can the above script be used while logging in a non-privileged user?

AFAIK, tcp/ip settings are modifiable only by users with admin privileges.

[cyberpyr8]

But can the above script be used while logging in a non-privileged user?

AFAIK, tcp/ip settings are modifiable only by users with admin privileges.

Send a script with a Runas and use an administrative account. If it is rolled out through a policy then it shouldn't be a problem anyway.