Or.... Another approach is to remove the root hints or forwarder from your AD DNS? If their browser can't look up URL host names, they can't find where to go. This doesn't prevent more savvy users from skirting the restriction by using IP addresses, but your typical user would be stifled and it's free.
Jim Becker Asst. Dir. of Administrative Systems State University of New York System Administration [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, James > Sent: Wednesday, March 09, 2005 8:06 AM > To: [email protected] > Subject: RE: [ActiveDir] deny internet > > This might sound like a "stupidly easy" solution, but if > you've got a very > small office with all resources on a single subnet, you could > always give > the machines a bogus gateway. They'd be able to access local > resources, > but not get outside of their home subnet. I've done this before as an > "easy fix" for a temporary problem, and found the simplest/cheapest > solution to be the best solution for the short term. > > -James > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Tuesday, March 08, 2005 10:22 PM > To: ActiveDir (E-mail) > Subject: [ActiveDir] deny internet > > > hi all. > If I want to deny a user internet access but allow everything else, is > this possible via GPO? On win2k and winXP? also to include > other browsers > besides IE a firewall solution is not possible right now and > the clients > are dhcp so cisco acl's won't always work. Can I gpo this or > is it easier > to give the client a static ip and acl it on the router? thanks > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
