blocking internet access

Discussion in 'Windows Networking' started by Nik, Dec 29, 2004.

  1. Nik

    Nik Guest

    hi guys,
    I'm trying to prevent my users from accessing the internet. I have attempted
    to block it through the personal firewall as well as through IE, however, my
    users seem to have learn how to undo what I did. is there anyting i can do
    at the lower layers to prevent them.

    Nik, Dec 29, 2004
    1. Advertisements

  2. Use Microsoft ISA Server 2004 and require that users authenticate.
    You can download free trial version of ISA Server 2004 from Microsoft's web

    Dusko Savatovic
    Dusko Savatovic, Dec 29, 2004
    1. Advertisements

  3. How do you get to the internet in the first place?
    Phillip Windell, Dec 29, 2004
  4. if you don't have budget to buy isa, you still have many options. 1. if you
    have a router and the router can do filter, the filter the ip you don't want
    to access the internet; 2. don't assign the router to the computers; 3.
    enable LAN settings with a fake ip and also disable user's right to modify
    registry. good luck!

    For more and other information, go to

    Don't send e-mail or reply to me except you need consulting services.
    Posting on MS newsgroup will benefit all readers and you may get more help.

    Bob Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
    Networking Solutions,
    VPN Solutions,
    VPN Process and Error Analysis, process.htm
    VPN Troubleshooting,
    This posting is provided "AS IS" with no warranties.
    Robert L [MS-MVP], Dec 29, 2004
  5. You don't give us much information about your network or how you connect to
    the Internet. However, one easy way to prevent network Internet access on a
    per computer basis is to configure the client computer with no default
    gateway or an incorrect default gateway. You can do this with a DHCP server
    or by statically configuring the client computer.

    Doug Sherman
    MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
    Doug Sherman [MVP], Dec 29, 2004
  6. That won't work if the OP's network has more than one subnet since his computers
    will need a default gateway to communicate to the other subnet.

    Really, this kind of problem shouldn't be solved with any technology that
    relies on IP addresses. IP addresses identify computers, not people. In the
    world of DHCP, there's never any guarantee that a particular address will
    always be used on a particular person's computer. Besides, IP addresses can
    be spoofed.

    If you want user-level access control, you must use technology that understands
    user accounts and manage your requirements centrally. This means you need
    something like Active Directory and ISA Server.

    Steve Riley
    Steve Riley [MSFT], Dec 29, 2004
  7. Nik

    Nik Guest

    Sorry about that guys. I should have definitely given more information.
    These are standalone computers. they use the internet to connect to the
    western union network. So I do not wish for them to do any browsing or
    chatting. They access the internet via dial-up

    Hope this helps
    Nik, Dec 29, 2004
  8. I agree with you in principle, my suggestion of manipulating gateways is
    clunky and inconsistent with true network security paractices.

    Nevertheless, it can be made to work; and the following is both misleading
    and does not support the principle:

    "That won't work if the OP's network has more than one subnet since his
    computers will need a default gateway to communicate to the other subnet."

    The computers could use a static route(s) to reach the other subnets and
    have no default gateway at all.

    Doug Sherman
    MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
    Doug Sherman [MVP], Dec 29, 2004
  9. Inline.

    True but that is an advanced configuration that is brittle because it requires
    on-going maintenance. It is nontrivial to learn how that works and it can
    be destabilizing if the routing infrastructure in the network is dynamic.
    It's essentially asking a client to please behave and don't go where I don't
    want you to go.

    Steve Riley
    Steve Riley [MSFT], Dec 30, 2004
  10. Just getting a Firewall or Proxy that is worth having would solve the whole
    thing. If IP# assignments are logically and consistantly managed a NAT
    Firewall that restricts by the IP# would "get by". Otherwise something like
    ISA that restricts by User account would solve it.

    These things always come up if someone is wanting to create a non-standard
    solution to a standard problem because they either can't or won't spend a
    few dollars to do it right.


    Phillip Windell [MCP, MVP, CCNA]
    Phillip Windell, Dec 30, 2004
  11. So each computer does independent dialup? That sounds really unmanageable
    for many reasons other than this. Any chance you can get a proxy server &
    install broadband for them to share? Would be much better overall anyway.
    Lanwench [MVP - Exchange], Jan 2, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.