The easiest way to block internet access for a user is to set their proxy server settings to a non-existent proxy server, and prevent them from changing the setting. Note that it is applicable user wise and not the computer. Therefore the policy applies for a user whichever work station he logs in.
The following is specific to Windows Server 2003 and above. I did this on a Windows Server 2008.
- Control Panel - Administrative Tools - Group Policy Management
- You will see your domain on the left side panel
- Right Click the domain and select "Create a GPO in this domain and link it here"
- Name this as "No Internet" or whatever you like.
- The "No Internet" policy will be created under "Group Policy Objects"
- Right click "No Internet" and select edit.
- Under User Configuration, select Policies / Windows Settings / Internet Explorer Maintenance - Connection - Proxy Settings
- Enable Proxy Settings and enter a proxy address for HTTP. 127.0.0.1 is a local host address and redirects the system to its own address. So the browser will not be able to connect to its the internet. Make sure "Do Not use Proxy address for local Intranet Address" which makes sure your clients can connect to the local network just fine.
- Now navigate to User Configuration, select Policies / Administrative Templates / Windows Components / Internet Explorer - Disable Changing Proxy Settings. Select "Enabled" and add a comment if you have to.
- In the same list, look up to find "Disable Changing Advanced Page Settings". The advanced page contains a reset button and this whole thing won't make sense if the user can simply reset the browser and the connection with it. So enable this as well.
- Go back to the group policy management page and right click "No Internet" directly under domain name. Make sure link is enabled and select "Enforced".
- Now a few more things before you leave it to do its job.
- Right Click "No Internet" and select edit
- Navigate to Computer Configuration / Policies / Administrative Templates / System / Group Policy - Internet Explorer Maintenance Policy Processing and select Enabled. Select "Allow processing over slow network connection" if you think this is affordable on your network. Also check "Process if Group Policy Objects has not changed". Group Policy is by default set to update itself on the clients every 90 minutes. If your user somehow manages to change or edit the settings by any way, group policy will again update itself on the client every 90 minutes. So any changes done on the client will still revert itself.
- If you need to change the default time in which the group policy is updated (pushed) to the client computers on your domain, select "Group Policy refresh interval for computers" enable it and set it to 30 minutes or how long you need. Remember that setting it to 0 will default it to 7 seconds. So the group policy will update itself on the clients every 7 seconds which can lead to a lot of traffic on your lan if you have a large number of client computers on the domain.
- Disable Registry Editing. A registry edit can let a user play with your proxy settings. So you can disable registry editing as a precaution. User Configuration\Administrative Templates\System\Prevent access to Registry editing tools. Enable this.
Now that the policy is in place,
To prevent a user from accessing the internet:
1. Select the No Internet group Policy under your domain and press Add under Security Filtering.
2. Use the Advanced dialog to locate and select the user, or simply type the user name and Press OK.
4. If the user is logged on, force the policy to update. This is done by opening command prompt and enter: gpupdate /force
The following points are to be noted regarding this group policy:
1) In effect, this method redirects LAN to a proxy or local host address and disables access to internet. It also disables the LAN access so it cannot be changed by anyone. This process applies to all browsers installed in the system and not just Internet Explorer.
2) It is better NOT to give Local Administrator Access to users on the client machines. However, what I have outlined above should block even local administrators from accessing the internet.
3) All other programs and clients will be able to connect to the internet. Like Antivirus software, Skype, outlook. If you want to limit those, try to block individual ports on the firewall for these programs. Or remove such software from the client pc's and lock down their ability to install anything. Windows Limited User option can accomplish this. If they are required to be admin on their client pc for some reason, use a group policy just like above to lock down user access to modify or install any programs.
4) This works best for all computers joined in the domain.
Remember that GPO is not entirely fool proof. But it should get you going. Using a firewall (hardware or in the router) is a better way if you can afford one.
Good luck!
