GPO for restricting Internet sites?

TheMSsForum.com: The Microsoft Software Forum

Is there a way to set up a Group Policy that will allow me to block all
internet sites, but give me the flexibility to add certain sites for access
as deemed necessary? While I would prefer this to be done on a user basis, I
am willing to apply to computers instead.
Top

Re: GPO for restricting Internet sites? by Steven

Steven
Fri Nov 03 14:33:23 CST 2006

If the sites you need the computers to access can be accessed by entering
their IP address in the browser address bar you could try using an ipsec
filtering policy via Group Policy that by default blocks internet/HTTP
access and then add exceptions for the IP addresses of the allowed sites in
a rule that has a permit filter action. ideally however you want to look at
a solution like Microsoft ISA firewall that can have firewall rules based on
users/groups for the domain.

Steve

http://www.securityfocus.com/infocus/1559 --- the basics of configuring an
ipsec filtering policy

"Madman" <Madman@discussions.microsoft.com> wrote in message
news:F57368C3-53D1-491B-96D2-1B8FC18A9361@microsoft.com...
> Is there a way to set up a Group Policy that will allow me to block all
> internet sites, but give me the flexibility to add certain sites for
> access
> as deemed necessary? While I would prefer this to be done on a user basis,
> I
> am willing to apply to computers instead.


Top

Re: GPO for restricting Internet sites? by Madman

Madman
Fri Nov 03 19:01:02 CST 2006

Steven, thanks for the reply. It seems the link you provided is down, but I
can always redirect my research toward that end. The use of IP addresses
could be a bit cumbersome, but should I opt to go that way perhaps I can find
some workarounds. After considerable research on this topic, I have to say I
am appalled at the lack of flexibility in IE and MS Group Policies in trying
to accomplish this task. I came into it expecting it to be a fairly common
practice. I have even found simply playing with the Content Advisor on a
single PC to be less than perfect.

"Steven L Umbach" wrote:

> If the sites you need the computers to access can be accessed by entering
> their IP address in the browser address bar you could try using an ipsec
> filtering policy via Group Policy that by default blocks internet/HTTP
> access and then add exceptions for the IP addresses of the allowed sites in
> a rule that has a permit filter action. ideally however you want to look at
> a solution like Microsoft ISA firewall that can have firewall rules based on
> users/groups for the domain.
>
> Steve
>
> http://www.securityfocus.com/infocus/1559 --- the basics of configuring an
> ipsec filtering policy
>
> "Madman" <Madman@discussions.microsoft.com> wrote in message
> news:F57368C3-53D1-491B-96D2-1B8FC18A9361@microsoft.com...
> > Is there a way to set up a Group Policy that will allow me to block all
> > internet sites, but give me the flexibility to add certain sites for
> > access
> > as deemed necessary? While I would prefer this to be done on a user basis,
> > I
> > am willing to apply to computers instead.
>
>
>
Top

Re: GPO for restricting Internet sites? by Steven

Steven
Sat Nov 04 14:49:48 CST 2006

For enterprises Microsoft's and even small businesses [SBS 2003 premising]
answer is ISA. If the users can only use IE you could also try to configure
a bogus proxy server for the users in IE connection/lan setting properties
and then add the exceptions that should not use proxy in advanced settings
for the proxy setting. Of course you would then want to make sure that the
user can not access the connection settings. All that can be done via Group
Policy if need be in the IE maintenance settings under user configuration.
The links below explain further.

Steve

http://www.computerperformance.co.uk/w2k3/gp/group_policy_internet_explorer.htm
--- IE maintenance settings
http://support.microsoft.com/default.aspx?scid=kb;en-us;316702

"Madman" <Madman@discussions.microsoft.com> wrote in message
news:4D89A6C7-A06F-4EEF-9493-6342FF6CA0E2@microsoft.com...
> Steven, thanks for the reply. It seems the link you provided is down, but
> I
> can always redirect my research toward that end. The use of IP addresses
> could be a bit cumbersome, but should I opt to go that way perhaps I can
> find
> some workarounds. After considerable research on this topic, I have to say
> I
> am appalled at the lack of flexibility in IE and MS Group Policies in
> trying
> to accomplish this task. I came into it expecting it to be a fairly common
> practice. I have even found simply playing with the Content Advisor on a
> single PC to be less than perfect.
>
> "Steven L Umbach" wrote:
>
>> If the sites you need the computers to access can be accessed by entering
>> their IP address in the browser address bar you could try using an ipsec
>> filtering policy via Group Policy that by default blocks internet/HTTP
>> access and then add exceptions for the IP addresses of the allowed sites
>> in
>> a rule that has a permit filter action. ideally however you want to look
>> at
>> a solution like Microsoft ISA firewall that can have firewall rules based
>> on
>> users/groups for the domain.
>>
>> Steve
>>
>> http://www.securityfocus.com/infocus/1559 --- the basics of configuring
>> an
>> ipsec filtering policy
>>
>> "Madman" <Madman@discussions.microsoft.com> wrote in message
>> news:F57368C3-53D1-491B-96D2-1B8FC18A9361@microsoft.com...
>> > Is there a way to set up a Group Policy that will allow me to block all
>> > internet sites, but give me the flexibility to add certain sites for
>> > access
>> > as deemed necessary? While I would prefer this to be done on a user
>> > basis,
>> > I
>> > am willing to apply to computers instead.
>>
>>
>>


Top