Just use IPSec filters --> http://www.petri.co.il/block_web_browsing_with_ipsec.htm. We have them applied for specific PCs across the Enterprise and haven't had any issues.
Richard Boswell Network Security Engineer Symbion Healthcare Office - (615) 234-8914 Support Desk - (615) 234-5980 BlackBerry - (615) 299-7763 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, March 09, 2005 10:12 AM To: [email protected] Subject: RE: [ActiveDir] deny internet I can't afford ISA right now. Anyone use Squid? I'm researching the IPsec solution right now. I guess you can't have a gpo deny use of IE and if the user is not a local admin, they couldn't install any other browser or sw? Finally, on a slightly unrelated note, is there still no way to completly unistall IE from windows? Thanks Renouf, Phil wrote: > The issue with that approach is that anyone can login to those PCs and > access the internet so if the point is to try and restrict internet > access to specific people this won't really cover that. You could put > workstation restrictions on the users but once you get past a certain > number of people (and it's not a very large number) this begins to be > a pain in the ass. > > A proxy server is your best bet since it will also allow you to setup > caching which will likely improve your web performance. I'm interested > in seeing the IPSec setup too though. > > Phil > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Carr, > Jonathan (OFT) > Sent: Wednesday, March 09, 2005 8:26 AM > To: [email protected] > Subject: RE: [ActiveDir] deny internet > > you could use Cisco's ACL with DHCP reservations. that way the pc > always get the same ip until you change the network card. You could > also go into the configuration of the network card and give the > "special" people a specific MAC and do the DHCP reservations that way > > > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of > [EMAIL PROTECTED] > Sent: Wed 3/9/2005 12:12 AM > To: [email protected] > Subject: RE: [ActiveDir] deny internet > > > > Get a Proxy Server and use it to control outbound internet access. > > > > Deji > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Tuesday, March 08, 2005 7:22 PM > To: ActiveDir (E-mail) > Subject: [ActiveDir] deny internet > > > > hi all. > > If I want to deny a user internet access but allow everything else, is > this possible via GPO? On win2k and winXP? > > also to include other browsers besides IE > > a firewall solution is not possible right now and the clients are dhcp > so cisco acl's won't always work. > > Can I gpo this or is it easier to give the client a static ip and acl > it on the router? > > thanks > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
