Blocking Internet access using AD

Is the a way using AD in windows 2000 server to block users or groups from having internet access,but have emails come through.We user a proxy to connect to the internet but i see even when the do not have administrative rights on the machines they are able to change or enter the proxy settings.

Is there software that i can use to archive this?Is there a way I can draw a list of all site that a user has visted.

You can configure the proxy settings, lock down access to Tools/Options menu in IE and prevent access to the Control Panel using AD. The relevant keys are \Administrative Templates\Windows Components\Internet Explorer, \Administrative Templates\Remove Display in Control Panel However, if your users have admin rights on PCs they could always install Firefox and bypass your AD lockdown.

It really depends on how determined your users are and the privilege levels they have on their PCs. Ultimately, the best way is through a proxy server at the internet gateway. If you happen to have Microsoft ISA Server, it integrates seamlessly with AD, or you may could go for something like Wingate or Squid (free).

Hi,

I can only agree with DaLight. The only way you can effectively block your users (or some users) from goin on the Internet is at the proxy server. As sugested by DaLight ISA offers full integration with AD or you could use some other proxy and use RADIUS for authentication.

Greetings,

stefan

Is it possible for you to configure your networking equipment?,
the first thing that came to mind was using an ACL to block port 80 for your network.

If not, then the above mention of group policy preventing access or an ISA server is the way to go.

yes i have to agree with biggystumps on the ACL. not only would it be effective but it would also have no impact on the budget side.

if you really want AD to handle the restriction then Dalight and stefke are right on the group policy. you could use this link as your reference. it is a document specifying how to implement the restriction using group policy.

www.eastproject.org/Projects/SystemAdmin...nternet%20Access.doc

hope this helps...

I agree that an ACL on your firewall blocking ports 80, 443 would be a good idea, although it would make selective filtering a bit difficult if you decided to allow some users to access the internet and you wanted to control access via user authentication rather than workstation IP address.