Any way to block internet access for a specific win2000 user?

I need to completely block connectivity to specific user accounts.

I know that with a domain controller one can do this, but this is a
workgroup network.

There are some 3rd party add-on which can do this, but I wonder if
there is a way to do it within windoze.

I can do parts of it, by changing that user to Admin privileges,
logging in as the user, then using secpol.msc etc to prevent address
to say iexplore.exe, then changing the account back to the limited
privileges. But this blocks just IE6, so the user simply starts up
Firefox




occassionally-confused@nospam.co.uk

> I need to completely block connectivity to specific user accounts.
>
> I know that with a domain controller one can do this, but this is a
> workgroup network.
>
> There are some 3rd party add-on which can do this, but I wonder if
> there is a way to do it within windoze.
>
> I can do parts of it, by changing that user to Admin privileges,
> logging in as the user, then using secpol.msc etc to prevent address
> to say iexplore.exe, then changing the account back to the limited
> privileges. But this blocks just IE6, so the user simply starts up
> Firefox

Cure the problem at source. Stop the user running unauthorised programs. If
they will not comply then sack them.

Peter Crosland

On 16 Oct 2006, "Peter Crosland" <(E-Mail Removed)> wrote:

>Cure the problem at source. Stop the user running unauthorised programs. If
>they will not comply then sack them.

Although previously posting via Zen, I believe this is still the same Peter
(z123@...) and if that's the case, sacking the teenager isn't possible :-(

(may not have been so transparent if a dynamic IP was used on Eclipse!)

On 16 Oct 2006, occassionally-(E-Mail Removed) wrote:

>I need to completely block connectivity to specific user accounts.

In which case you surely need to remove LAN access from those user
accounts. Perhaps worth asking checking uk.comp.home-networking

occassionally-(E-Mail Removed) wrote on Mon, 16 Oct 2006 12:02:58 +0100:

> I need to completely block connectivity to specific user accounts.
>
> I know that with a domain controller one can do this, but this is a
> workgroup network.
>
> There are some 3rd party add-on which can do this, but I wonder if
> there is a way to do it within windoze.
>
> I can do parts of it, by changing that user to Admin privileges,
> logging in as the user, then using secpol.msc etc to prevent address
> to say iexplore.exe, then changing the account back to the limited
> privileges. But this blocks just IE6, so the user simply starts up
> Firefox
>

How about disabling the network interface driver in the hardware settings
for that user account?

What about deleting the network connection, and setting the local policy for
that user to have no access to any of the network connection settings? That
way there is no network connection defined, and they can't add one either.

You know, a hammer might help. Or a big stick. I find people don't like to
be hit with either.

Dan

"Spack" <(E-Mail Removed)> wrote:

>How about disabling the network interface driver in the hardware settings
>for that user account?

Interesting... I thought that setting would be global for all users.

>What about deleting the network connection, and setting the local policy for
>that user to have no access to any of the network connection settings? That
>way there is no network connection defined, and they can't add one either.

Again, I thought that sort of thing was global. But it is indeed a
simple solution - thank you.

occassionally-(E-Mail Removed) wrote on Mon, 16 Oct 2006 16:51:34 +0100:

>
> "Spack" <(E-Mail Removed)> wrote:
>
>> How about disabling the network interface driver in the hardware settings
>> for that user account?
>
> Interesting... I thought that setting would be global for all users.

I'm pretty sure it's user profile related, I've used this in NT4 before to
disable hardware for particular users.

>> What about deleting the network connection, and setting the local policy
>> for that user to have no access to any of the network connection
>> settings? That way there is no network connection defined, and they can't
>> add one either.
>
> Again, I thought that sort of thing was global. But it is indeed a
> simple solution - thank you.

Nope, this is definitely a user applicable setting in XP, and I'm pretty
sure it's the same in Win2000, check the group policy editor and take a look
at all the settings available for network connections.

Dan

"Spack" <(E-Mail Removed)> wrote

>occassionally-(E-Mail Removed) wrote on Mon, 16 Oct 2006 16:51:34 +0100:
>
>>
>> "Spack" <(E-Mail Removed)> wrote:
>>
>>> How about disabling the network interface driver in the hardware settings
>>> for that user account?
>>
>> Interesting... I thought that setting would be global for all users.
>
>I'm pretty sure it's user profile related, I've used this in NT4 before to
>disable hardware for particular users.
>
>>> What about deleting the network connection, and setting the local policy
>>> for that user to have no access to any of the network connection
>>> settings? That way there is no network connection defined, and they can't
>>> add one either.
>>
>> Again, I thought that sort of thing was global. But it is indeed a
>> simple solution - thank you.
>
>Nope, this is definitely a user applicable setting in XP, and I'm pretty
>sure it's the same in Win2000, check the group policy editor and take a look
>at all the settings available for network connections.
>
>Dan
>

I tried this but it appears that in win2000 the TCP/IP properties etc
are global to all users.

There must be another way.

I can block a specific IP in the router but if I assign a certain IP
in this user's network profile, every other user gets the same IP.

One can block that user's access to modifying the network properties,
no problem. It's a bit tacky:

Make him an administrator
Login as him
Start up gpedit.msc and edit the Control Panel / Network privileges
Set him back to ordinary "user"

There must be a way of editing other users' privileges from within the
main admin login, but it isn't obvious.

<occassionally-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Spack" <(E-Mail Removed)> wrote
>
> >occassionally-(E-Mail Removed) wrote on Mon, 16 Oct 2006 16:51:34
+0100:
> >
> >>
> >> "Spack" <(E-Mail Removed)> wrote:
> >>
> >>> How about disabling the network interface driver in the hardware
settings
> >>> for that user account?
> >>
> >> Interesting... I thought that setting would be global for all users.
> >
> >I'm pretty sure it's user profile related, I've used this in NT4 before
to
> >disable hardware for particular users.
> >
> >>> What about deleting the network connection, and setting the local
policy
> >>> for that user to have no access to any of the network connection
> >>> settings? That way there is no network connection defined, and they
can't
> >>> add one either.
> >>
> >> Again, I thought that sort of thing was global. But it is indeed a
> >> simple solution - thank you.
> >
> >Nope, this is definitely a user applicable setting in XP, and I'm pretty
> >sure it's the same in Win2000, check the group policy editor and take a
look
> >at all the settings available for network connections.
> >
> >Dan
> >
>
> I tried this but it appears that in win2000 the TCP/IP properties etc
> are global to all users.
>
> There must be another way.
>
> I can block a specific IP in the router but if I assign a certain IP
> in this user's network profile, every other user gets the same IP.
>
> One can block that user's access to modifying the network properties,
> no problem. It's a bit tacky:
>
> Make him an administrator
> Login as him
> Start up gpedit.msc and edit the Control Panel / Network privileges
> Set him back to ordinary "user"
>
> There must be a way of editing other users' privileges from within the
> main admin login, but it isn't obvious.

Set a logon script in the machine policy. Use an encrypyted script to start
a batch session as local administrator if the user logging on is the one you
want to remove from network accesxs, In this second script disable the
interface.using NETSHs. You may want to apply additional security measures
as encrypted scripts can be cracked.

In fact if you don't want network access just disable the interface. Make
the user a non-admin. When you want to use the machine as an admin, stick a
pair of natch files on the desk to disable and enable the interface. Make
sure you disable before giving back to non-admin user...

Your own procedure suggests an obvious way, use groups?

Eg: Those who can use the internet into PowerUsers, those who can't into
Users. Then create a Group Policy on the PC to prevent Users from launching
any installed browser or Windows Installer (so they can't install an
alternative browser)? I haven't ever had reason to try this (we used
domains with Group Policies on the domain groups) but I reckon it should
work with PC Groups as well ...

<occassionally-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> There must be a way of editing other users' privileges from within the
> main admin login, but it isn't obvious.