Internet Access without Network Resource Access

I'm looking to join a Win2k workstation to the domain for users out in a
warehouse. They should only have access to the internet, and possibly some
network printers. I would like to limit access to all file shares on the
network. I've come up with a couple ways to do this, but everything seems
like more work than necessary. I feel like I'm missing a simple switch that
I can somehow flip for this type of restricted user. We have a Win2k Domain
Controller, so I'm assuming that I'm going to want to do this with Active
Directory. Symantec Antivirus Server manages all workstations on the network
and also runs off of the PDC. I obviously would like to have this remain. So
what's the easiest way to make it so they do not have access to file shares
on the server, and if possible, even other workstations on the network?

Thanks in advance

in this case, you don't join the domain. If the computer obtains the ip, DNS
and gateway from DHCP, it should be able to access the Internet and IP
printers. you setup permission to deny accessing other resources. And SAV
should work too.

--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
Networking Solutions, http://www.chicagotech.net/networksolutions.htm
VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
VPN Process and Error Analysis, http://www.chicagotech.net/VPN%20process.htm
VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
This posting is provided "AS IS" with no warranties.
"Jason Scoggins" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I'm looking to join a Win2k workstation to the domain for users out in a
> warehouse. They should only have access to the internet, and possibly some
> network printers. I would like to limit access to all file shares on the
> network. I've come up with a couple ways to do this, but everything seems
> like more work than necessary. I feel like I'm missing a simple switch
> that I can somehow flip for this type of restricted user. We have a Win2k
> Domain Controller, so I'm assuming that I'm going to want to do this with
> Active Directory. Symantec Antivirus Server manages all workstations on
> the network and also runs off of the PDC. I obviously would like to have
> this remain. So what's the easiest way to make it so they do not have
> access to file shares on the server, and if possible, even other
> workstations on the network?
>
> Thanks in advance
>

Hi Jason,

One option would be to create a global security group and add these users to
the group, add the group to the network shares then explicitly "Deny" access
to the resources you want to protect. An explicit "Deny" overrides any
permissions granted to a user/group on a resource.

One way to limit access to other workstations would be to create an OU
(Organisational Unit), add all the computers you want to restrict access to
to this OU, then through Group Policy, assign the "Deny Logon Locally"
attribute to the security group mentioned above. (Computer Configuration >
Windows Settings > Security Settings > User right assignment > "Deny logon
locally")

Hope this helps



"Jason Scoggins" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I'm looking to join a Win2k workstation to the domain for users out in a
> warehouse. They should only have access to the internet, and possibly some
> network printers. I would like to limit access to all file shares on the
> network. I've come up with a couple ways to do this, but everything seems
> like more work than necessary. I feel like I'm missing a simple switch
that
> I can somehow flip for this type of restricted user. We have a Win2k
Domain
> Controller, so I'm assuming that I'm going to want to do this with Active
> Directory. Symantec Antivirus Server manages all workstations on the
network
> and also runs off of the PDC. I obviously would like to have this remain.
So
> what's the easiest way to make it so they do not have access to file
shares
> on the server, and if possible, even other workstations on the network?
>
> Thanks in advance
>
>

I think everyone is making it harder than it has to be. They will not have
access to anything that you didn't already give them access to assuming you
aren't "over using" the Everyone Group. If you place their accounts in a
group (and only that group) that does not have access to restricted
resources,..then they obviously will not have access to those resources.

Now if you go allowing the Everyone Group access to things, then that is
your real problem to begin with. The Everyone Group should be heavily
restriced, and that is no more complicated than removing the Everyone Group
from the ACL of the particular resources. You don't have to explicitly deny
anything, you just simply don't give the permission to start with.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Jason Scoggins" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I'm looking to join a Win2k workstation to the domain for users out in a
> warehouse. They should only have access to the internet, and possibly some
> network printers. I would like to limit access to all file shares on the
> network. I've come up with a couple ways to do this, but everything seems
> like more work than necessary. I feel like I'm missing a simple switch
that
> I can somehow flip for this type of restricted user. We have a Win2k
Domain
> Controller, so I'm assuming that I'm going to want to do this with Active
> Directory. Symantec Antivirus Server manages all workstations on the
network
> and also runs off of the PDC. I obviously would like to have this remain.
So
> what's the easiest way to make it so they do not have access to file
shares
> on the server, and if possible, even other workstations on the network?
>
> Thanks in advance
>
>

Thanks to all for the suggestions. I'll be reviewing the security
permissions for the shares, and go from there.

Thanks again.


"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
>I think everyone is making it harder than it has to be. They will not have
> access to anything that you didn't already give them access to assuming
> you
> aren't "over using" the Everyone Group. If you place their accounts in a
> group (and only that group) that does not have access to restricted
> resources,..then they obviously will not have access to those resources.
>
> Now if you go allowing the Everyone Group access to things, then that is
> your real problem to begin with. The Everyone Group should be heavily
> restriced, and that is no more complicated than removing the Everyone
> Group
> from the ACL of the particular resources. You don't have to explicitly
> deny
> anything, you just simply don't give the permission to start with.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "Jason Scoggins" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> I'm looking to join a Win2k workstation to the domain for users out in a
>> warehouse. They should only have access to the internet, and possibly
>> some
>> network printers. I would like to limit access to all file shares on the
>> network. I've come up with a couple ways to do this, but everything seems
>> like more work than necessary. I feel like I'm missing a simple switch
> that
>> I can somehow flip for this type of restricted user. We have a Win2k
> Domain
>> Controller, so I'm assuming that I'm going to want to do this with Active
>> Directory. Symantec Antivirus Server manages all workstations on the
> network
>> and also runs off of the PDC. I obviously would like to have this remain.
> So
>> what's the easiest way to make it so they do not have access to file
> shares
>> on the server, and if possible, even other workstations on the network?
>>
>> Thanks in advance
>>
>>
>
>