Announcement

Collapse
No announcement yet.

block internet access by computer

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • block internet access by computer

    Hello my friends,

    I want know how can I block the internet access from specific computer, this computer is in the domain and is open for the all users but is only to access the internal websites. I dont want to allow the people surf over there.

    Any idea?

    thanks,

    NiTo

    P.S. client:Winxp pro and server: win2003

  • #2
    Re: block internet access by computer

    Block its IP address on the router or acl outbound
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: block internet access by computer

      To add to what AndyJG247 said, you can use either static IPs or DHCP reservations for the machine that you want to block internet access to. You might also be able to block the MAC address at the router.

      Or, if the client computer is only using IE, read this: http://www.experts-exchange.com/Soft..._22804441.html

      Does that help?
      Last edited by Nonapeptide; 19th June 2008, 18:49. Reason: grammar
      Wesley David
      LinkedIn | Careers 2.0
      -------------------------------
      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
      Vendor Neutral Certifications: CWNA
      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

      Comment


      • #4
        Re: block internet access by computer

        I do it already but just the people that uses this machine to surf have the rights to change the IP, and I cant block them, if I can change a policy or some thing like that they dont know how to change back (only if they found this post, hehehe).

        NiTo

        Comment


        • #5
          Re: block internet access by computer

          Look into "Loopback Processing" for a GPO. It applies user configuration GPOs that are in a computer's "user configuration" GPO area to a user after the user has logged in. That way, no matter who logs in, they always have the user configuration policies applied to them that are specified in that computer's "user configuration" portion of the policy. If that made sense, you're much sharper than I am because it took me a long while to understand loopback processing.

          Do an obligatory Google search.

          Also, you'll probably want the loopback processing mode to be in "Replace" mode and not "Merge" mode.

          Tell us how it goes!
          Last edited by Nonapeptide; 20th June 2008, 14:28.
          Wesley David
          LinkedIn | Careers 2.0
          -------------------------------
          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
          Vendor Neutral Certifications: CWNA
          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

          Comment


          • #6
            Re: block internet access by computer

            You could use this: http://www.petri.com/block_internet_...with_ipsec.htm

            And tweak it to allow to certain sites.
            CCNA, Network+

            Comment


            • #7
              Re: block internet access by computer

              thank you Daze works fine. The only problem is since the user could be an local administrator if he knows how I block him. he can go to the IP sec. pol. man. and delete the policy. But I dont thing he is so smart...

              Comment


              • #8
                Re: block internet access by computer

                Easy way to do this is put a dummy proxy server in.
                You can use a regedit also which will prevnet the user from chaging it back.
                Lets be honest very few users would know how to make changes in the registry and proxy settings. I have also added the Registry change to a logon script to even if they do work out how to do it gets put back when they log back in.

                if you want I'll e-mail the regedit commands to you
                Last edited by steffan.shadrach; 24th June 2008, 11:51. Reason: add to

                Comment


                • #9
                  Re: block internet access by computer

                  Originally posted by nitoglycerine View Post
                  thank you Daze works fine. The only problem is since the user could be an local administrator if he knows how I block him. he can go to the IP sec. pol. man. and delete the policy. But I dont thing he is so smart...
                  Did you look into loopback processing?

                  You could also look into something like Windows Steady State. That wouldn't prevent someone from making a change immediately, but it would at least set it back to the way you want it after a reboot (which you could schedule every night).
                  Wesley David
                  LinkedIn | Careers 2.0
                  -------------------------------
                  Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                  Vendor Neutral Certifications: CWNA
                  Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                  Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                  Comment


                  • #10
                    Re: block internet access by computer

                    Originally posted by steffan.shadrach View Post
                    Easy way to do this is put a dummy proxy server in.
                    You can use a regedit also which will prevnet the user from chaging it back.
                    Lets be honest very few users would know how to make changes in the registry and proxy settings. I have also added the Registry change to a logon script to even if they do work out how to do it gets put back when they log back in.

                    if you want I'll e-mail the regedit commands to you

                    I have done this before. I used an AD group policy that applied the proxy setting to the computer, then set the group policy to disallow the user from accessing the proxy page to change it.

                    It worked out well in my case.
                    MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

                    Comment


                    • #11
                      Re: block internet access by computer

                      hmmm and why not putting the client in a seperate VLAN?
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment


                      • #12
                        Re: block internet access by computer

                        Originally posted by Dumber View Post
                        hmmm and why not putting the client in a seperate VLAN?
                        or use ISA server...?
                        or have 1 local computer policy , which can be loged in as guest for example, and no one else, ( like internet cafes) and remove everything via GP and leave just IE

                        Comment


                        • #13
                          Re: block internet access by computer

                          Well I think he has now a lot of options
                          Marcel
                          Technical Consultant
                          Netherlands
                          http://www.phetios.com
                          http://blog.nessus.nl

                          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                          "No matter how secure, there is always the human factor."

                          "Enjoy life today, tomorrow may never come."
                          "If you're going through hell, keep going. ~Winston Churchill"

                          Comment


                          • #14
                            Re: block internet access by computer

                            thank you for the answers,

                            Steffan please send me a private message with the changes in the register.

                            cemarzu do you have a script with these changes in the GP? to make the machine less vulnarable?

                            NiTo

                            Comment


                            • #15
                              Re: block internet access by computer

                              O_o

                              Is there some kind of photon vortex that prevents the term "Loopback Processing" from emitting from individual's monitors and penetrating their cornea?

                              Nitro, seriously, I think loopback processing is your best bet. Have you looked into it? Manually tweaking the registry, putting non-existent proxy servers in your settings and applying GP templates seems kinda clunky for this situation. I'm sure they'll work, but I think there's a better and more elegant way. Does anyone out there know something about loopback processing that would disqualify it as a valid solution in this environment?

                              It's simple, effective, and scalable. The way all solutions should be.
                              Last edited by Nonapeptide; 29th June 2008, 00:18.
                              Wesley David
                              LinkedIn | Careers 2.0
                              -------------------------------
                              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                              Vendor Neutral Certifications: CWNA
                              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                              Comment

                              Working...
                              X