Totally blocking Internet Access though Group Policy on Windows Server 2008 R2 The Next CEO of Stack OverflowSquid and Active Directory authenticationRestricting Internet Access with Group PolicyWindows 2008 Group Policy Setting? - Migration HeadacheGroup Policy Preferences in Server 2008 R2Publish Bookmarks in FireFox with Active Directory (AD)Windows Server 2008 group policyPrevent Internet Explorer from saving files with the “T” attribute setOn a terminal services server windows 2008 how can you lower the security settings of usersWindows 8.1 - Group Policy Settings set, but not executet when offlineUse Script To Query Local Group Policy Windows Server 2008how to prevent access to \127.0.0.1c$ or \localhostc$

What is the purpose of the Evocation wizard's Potent Cantrip feature?

Why did we only see the N-1 starfighters in one film?

Is the concept of a "numerable" fiber bundle really useful or an empty generalization?

How to count occurrences of text in a file?

Why do remote companies require working in the US?

Fastest way to shutdown Ubuntu Mate 18.10

What does "Its cash flow is deeply negative" mean?

Customer Requests (Sometimes) Drive Me Bonkers!

Why doesn't a table tennis ball float on the surface? How do we calculate buoyancy here?

How should I support this large drywall patch?

What is meant by a M next to a roman numeral?

Text adventure game code

Are there languages with no euphemisms?

Why were Madagascar and New Zealand discovered so late?

Increase performance creating Mandelbrot set in python

When did Lisp start using symbols for arithmetic?

Is it okay to store user locations?

Only print output after finding pattern

How do spells that require an ability check vs. the caster's spell save DC work?

What does this shorthand mean?

% symbol leads to superlong (forever?) compilations

Why is there a PLL in CPU?

How can I quit an app using Terminal?

Rotate a column



Totally blocking Internet Access though Group Policy on Windows Server 2008 R2



The Next CEO of Stack OverflowSquid and Active Directory authenticationRestricting Internet Access with Group PolicyWindows 2008 Group Policy Setting? - Migration HeadacheGroup Policy Preferences in Server 2008 R2Publish Bookmarks in FireFox with Active Directory (AD)Windows Server 2008 group policyPrevent Internet Explorer from saving files with the “T” attribute setOn a terminal services server windows 2008 how can you lower the security settings of usersWindows 8.1 - Group Policy Settings set, but not executet when offlineUse Script To Query Local Group Policy Windows Server 2008how to prevent access to \127.0.0.1c$ or \localhostc$










2















I need to block internet access for some users on our Windows Servers 2008 R2. If you google this question you will find a lot results that propose to disabling Internet Explorer and setting a proxy to 0.0.0.0. Unfortunately this can easily bypassed using a portable Firefox for example.



Is there a more restrictive solution? I need to find a way that even telnet, ftp etc. won't work.



Thanks for your help!



Update for clarification: I would like to block internet access only for some users, not or all on this server.










share|improve this question




























    2















    I need to block internet access for some users on our Windows Servers 2008 R2. If you google this question you will find a lot results that propose to disabling Internet Explorer and setting a proxy to 0.0.0.0. Unfortunately this can easily bypassed using a portable Firefox for example.



    Is there a more restrictive solution? I need to find a way that even telnet, ftp etc. won't work.



    Thanks for your help!



    Update for clarification: I would like to block internet access only for some users, not or all on this server.










    share|improve this question


























      2












      2








      2


      1






      I need to block internet access for some users on our Windows Servers 2008 R2. If you google this question you will find a lot results that propose to disabling Internet Explorer and setting a proxy to 0.0.0.0. Unfortunately this can easily bypassed using a portable Firefox for example.



      Is there a more restrictive solution? I need to find a way that even telnet, ftp etc. won't work.



      Thanks for your help!



      Update for clarification: I would like to block internet access only for some users, not or all on this server.










      share|improve this question
















      I need to block internet access for some users on our Windows Servers 2008 R2. If you google this question you will find a lot results that propose to disabling Internet Explorer and setting a proxy to 0.0.0.0. Unfortunately this can easily bypassed using a portable Firefox for example.



      Is there a more restrictive solution? I need to find a way that even telnet, ftp etc. won't work.



      Thanks for your help!



      Update for clarification: I would like to block internet access only for some users, not or all on this server.







      windows-server-2008 windows-server-2008-r2 group-policy






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 17 hours ago









      ewwhite

      174k76370725




      174k76370725










      asked Dec 7 '11 at 12:37









      HeinrichHeinrich

      48531634




      48531634




















          5 Answers
          5






          active

          oldest

          votes


















          8














          The best solution is probably to do this on the network level with a proxy. You can force all Internet-bound traffic through the proxy using WCCP or the like and not configure anything on the hosts themselves.
          Otherwise, I think you might be able to configure the Windows firewall to disallow this outbound traffic via GPO which would catch all outbound traffic.
          Furthermore, since it's a server, it likely has a static IP and you could just block outbound traffic at your perimeter firewall - assuming you are actaully trying to block Internet access from the server itself - it wasn't clear to me if you mean for all users (using the server and GPO to accomplish) or if you just wanted to block access from your servers.






          share|improve this answer

























          • Thanks for the answer. Just to clarify, I would like to block the internet only for some users.

            – Heinrich
            Dec 7 '11 at 13:41











          • @Heinrich something like TMG can do group-based rules.

            – MDMarra
            Dec 7 '11 at 13:43











          • @Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.

            – Paul Ackerman
            Dec 9 '11 at 1:21


















          2














          ...why not just set the gateway in DHCP to a non-routed address or a blank address so traffic can't go out? Set it for those user's MAC address so they always get that (incorrect) gateway address.



          Otherwise proxy it, log it, and then fire them if this is a business discipline problem.






          share|improve this answer























          • To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.

            – Driftpeasant
            Dec 7 '11 at 13:47


















          2














          You could use a proxy for this or you could set up an ACL (access control list) on your router to block outbound traffic from the workstations in question.






          share|improve this answer






























            2














            I hate to give an expensive commercial recommendation, but the Barracuda Web Filter 310 does everything you're asking and can definitely tie into your AD topology. It has content and protocol awareness, so you could restrict downloads, telnet, ftp, etc. on a user or group basis.






            share|improve this answer























            • This seems to be a great device, but is there an option of having this as Software?

              – Heinrich
              Dec 18 '11 at 22:54











            • They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.

              – ewwhite
              Dec 18 '11 at 22:56


















            0














            The only realistic option probably is to disable direct internet acces, thus forcing all internet traffic through a proxy. Then configure this proxy to require authentication (ideally against the Active Directory[AD]). That way, everyone has to authenticate to go online.



            Disadvantages:



            • If any programs on the server require net access, they need to get special service accounts that grant them access (either real AD accounts, or just special accounts on the proxy). These accounts will of course need to be protected.

            • If some programs or users require protocols that cannot be easily proxied (e.g. exotic protocols), you will have to find a case-by-case solution.

            • It will mean extra configuration for all users (though I believe some browsers can automatically log on to a proxy)

            I have never implemented this, but I believe it should work. At least Squid lets you authenticate against an AD; I assume other proxies can do the same.






            share|improve this answer

























              Your Answer








              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "2"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f338522%2ftotally-blocking-internet-access-though-group-policy-on-windows-server-2008-r2%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              5 Answers
              5






              active

              oldest

              votes








              5 Answers
              5






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              8














              The best solution is probably to do this on the network level with a proxy. You can force all Internet-bound traffic through the proxy using WCCP or the like and not configure anything on the hosts themselves.
              Otherwise, I think you might be able to configure the Windows firewall to disallow this outbound traffic via GPO which would catch all outbound traffic.
              Furthermore, since it's a server, it likely has a static IP and you could just block outbound traffic at your perimeter firewall - assuming you are actaully trying to block Internet access from the server itself - it wasn't clear to me if you mean for all users (using the server and GPO to accomplish) or if you just wanted to block access from your servers.






              share|improve this answer

























              • Thanks for the answer. Just to clarify, I would like to block the internet only for some users.

                – Heinrich
                Dec 7 '11 at 13:41











              • @Heinrich something like TMG can do group-based rules.

                – MDMarra
                Dec 7 '11 at 13:43











              • @Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.

                – Paul Ackerman
                Dec 9 '11 at 1:21















              8














              The best solution is probably to do this on the network level with a proxy. You can force all Internet-bound traffic through the proxy using WCCP or the like and not configure anything on the hosts themselves.
              Otherwise, I think you might be able to configure the Windows firewall to disallow this outbound traffic via GPO which would catch all outbound traffic.
              Furthermore, since it's a server, it likely has a static IP and you could just block outbound traffic at your perimeter firewall - assuming you are actaully trying to block Internet access from the server itself - it wasn't clear to me if you mean for all users (using the server and GPO to accomplish) or if you just wanted to block access from your servers.






              share|improve this answer

























              • Thanks for the answer. Just to clarify, I would like to block the internet only for some users.

                – Heinrich
                Dec 7 '11 at 13:41











              • @Heinrich something like TMG can do group-based rules.

                – MDMarra
                Dec 7 '11 at 13:43











              • @Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.

                – Paul Ackerman
                Dec 9 '11 at 1:21













              8












              8








              8







              The best solution is probably to do this on the network level with a proxy. You can force all Internet-bound traffic through the proxy using WCCP or the like and not configure anything on the hosts themselves.
              Otherwise, I think you might be able to configure the Windows firewall to disallow this outbound traffic via GPO which would catch all outbound traffic.
              Furthermore, since it's a server, it likely has a static IP and you could just block outbound traffic at your perimeter firewall - assuming you are actaully trying to block Internet access from the server itself - it wasn't clear to me if you mean for all users (using the server and GPO to accomplish) or if you just wanted to block access from your servers.






              share|improve this answer















              The best solution is probably to do this on the network level with a proxy. You can force all Internet-bound traffic through the proxy using WCCP or the like and not configure anything on the hosts themselves.
              Otherwise, I think you might be able to configure the Windows firewall to disallow this outbound traffic via GPO which would catch all outbound traffic.
              Furthermore, since it's a server, it likely has a static IP and you could just block outbound traffic at your perimeter firewall - assuming you are actaully trying to block Internet access from the server itself - it wasn't clear to me if you mean for all users (using the server and GPO to accomplish) or if you just wanted to block access from your servers.







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Dec 7 '11 at 12:53

























              answered Dec 7 '11 at 12:48









              Paul AckermanPaul Ackerman

              2,6141222




              2,6141222












              • Thanks for the answer. Just to clarify, I would like to block the internet only for some users.

                – Heinrich
                Dec 7 '11 at 13:41











              • @Heinrich something like TMG can do group-based rules.

                – MDMarra
                Dec 7 '11 at 13:43











              • @Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.

                – Paul Ackerman
                Dec 9 '11 at 1:21

















              • Thanks for the answer. Just to clarify, I would like to block the internet only for some users.

                – Heinrich
                Dec 7 '11 at 13:41











              • @Heinrich something like TMG can do group-based rules.

                – MDMarra
                Dec 7 '11 at 13:43











              • @Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.

                – Paul Ackerman
                Dec 9 '11 at 1:21
















              Thanks for the answer. Just to clarify, I would like to block the internet only for some users.

              – Heinrich
              Dec 7 '11 at 13:41





              Thanks for the answer. Just to clarify, I would like to block the internet only for some users.

              – Heinrich
              Dec 7 '11 at 13:41













              @Heinrich something like TMG can do group-based rules.

              – MDMarra
              Dec 7 '11 at 13:43





              @Heinrich something like TMG can do group-based rules.

              – MDMarra
              Dec 7 '11 at 13:43













              @Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.

              – Paul Ackerman
              Dec 9 '11 at 1:21





              @Heinrich. Any descent web-content filter product (TMG, Cuda, Websense, many different UTM firewalls etc) can use user account or AD group membership so you can apply different policies to different users. (Or no policies to those users you don't wish to block). I still think this will be easiest method of accomplishing your goals and will give you long-term flexibility over say butchering your clients DNS or default gateways that could have unintended results.

              – Paul Ackerman
              Dec 9 '11 at 1:21













              2














              ...why not just set the gateway in DHCP to a non-routed address or a blank address so traffic can't go out? Set it for those user's MAC address so they always get that (incorrect) gateway address.



              Otherwise proxy it, log it, and then fire them if this is a business discipline problem.






              share|improve this answer























              • To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.

                – Driftpeasant
                Dec 7 '11 at 13:47















              2














              ...why not just set the gateway in DHCP to a non-routed address or a blank address so traffic can't go out? Set it for those user's MAC address so they always get that (incorrect) gateway address.



              Otherwise proxy it, log it, and then fire them if this is a business discipline problem.






              share|improve this answer























              • To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.

                – Driftpeasant
                Dec 7 '11 at 13:47













              2












              2








              2







              ...why not just set the gateway in DHCP to a non-routed address or a blank address so traffic can't go out? Set it for those user's MAC address so they always get that (incorrect) gateway address.



              Otherwise proxy it, log it, and then fire them if this is a business discipline problem.






              share|improve this answer













              ...why not just set the gateway in DHCP to a non-routed address or a blank address so traffic can't go out? Set it for those user's MAC address so they always get that (incorrect) gateway address.



              Otherwise proxy it, log it, and then fire them if this is a business discipline problem.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Dec 7 '11 at 13:41









              Bart SilverstrimBart Silverstrim

              29.5k95684




              29.5k95684












              • To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.

                – Driftpeasant
                Dec 7 '11 at 13:47

















              • To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.

                – Driftpeasant
                Dec 7 '11 at 13:47
















              To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.

              – Driftpeasant
              Dec 7 '11 at 13:47





              To expand on Bart's answer - if you are really trying to only block internet for some users, and you're paranoid about Portable Firefox or what have you, then yes, use DHCP to set no gateway for those users. Bear in mind that since you've said in another post you only want to do this for some users, you'll have to set up 2 DHCP scopes and DHCP reservations, OR use static IP addresses on the machines that need external access.

              – Driftpeasant
              Dec 7 '11 at 13:47











              2














              You could use a proxy for this or you could set up an ACL (access control list) on your router to block outbound traffic from the workstations in question.






              share|improve this answer



























                2














                You could use a proxy for this or you could set up an ACL (access control list) on your router to block outbound traffic from the workstations in question.






                share|improve this answer

























                  2












                  2








                  2







                  You could use a proxy for this or you could set up an ACL (access control list) on your router to block outbound traffic from the workstations in question.






                  share|improve this answer













                  You could use a proxy for this or you could set up an ACL (access control list) on your router to block outbound traffic from the workstations in question.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Dec 7 '11 at 13:57









                  joeqwertyjoeqwerty

                  96.4k464149




                  96.4k464149





















                      2














                      I hate to give an expensive commercial recommendation, but the Barracuda Web Filter 310 does everything you're asking and can definitely tie into your AD topology. It has content and protocol awareness, so you could restrict downloads, telnet, ftp, etc. on a user or group basis.






                      share|improve this answer























                      • This seems to be a great device, but is there an option of having this as Software?

                        – Heinrich
                        Dec 18 '11 at 22:54











                      • They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.

                        – ewwhite
                        Dec 18 '11 at 22:56















                      2














                      I hate to give an expensive commercial recommendation, but the Barracuda Web Filter 310 does everything you're asking and can definitely tie into your AD topology. It has content and protocol awareness, so you could restrict downloads, telnet, ftp, etc. on a user or group basis.






                      share|improve this answer























                      • This seems to be a great device, but is there an option of having this as Software?

                        – Heinrich
                        Dec 18 '11 at 22:54











                      • They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.

                        – ewwhite
                        Dec 18 '11 at 22:56













                      2












                      2








                      2







                      I hate to give an expensive commercial recommendation, but the Barracuda Web Filter 310 does everything you're asking and can definitely tie into your AD topology. It has content and protocol awareness, so you could restrict downloads, telnet, ftp, etc. on a user or group basis.






                      share|improve this answer













                      I hate to give an expensive commercial recommendation, but the Barracuda Web Filter 310 does everything you're asking and can definitely tie into your AD topology. It has content and protocol awareness, so you could restrict downloads, telnet, ftp, etc. on a user or group basis.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Dec 7 '11 at 14:30









                      ewwhiteewwhite

                      174k76370725




                      174k76370725












                      • This seems to be a great device, but is there an option of having this as Software?

                        – Heinrich
                        Dec 18 '11 at 22:54











                      • They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.

                        – ewwhite
                        Dec 18 '11 at 22:56

















                      • This seems to be a great device, but is there an option of having this as Software?

                        – Heinrich
                        Dec 18 '11 at 22:54











                      • They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.

                        – ewwhite
                        Dec 18 '11 at 22:56
















                      This seems to be a great device, but is there an option of having this as Software?

                      – Heinrich
                      Dec 18 '11 at 22:54





                      This seems to be a great device, but is there an option of having this as Software?

                      – Heinrich
                      Dec 18 '11 at 22:54













                      They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.

                      – ewwhite
                      Dec 18 '11 at 22:56





                      They have a virtual appliance available if you have a virtualized environment. Otherwise, it's a physical appliance.

                      – ewwhite
                      Dec 18 '11 at 22:56











                      0














                      The only realistic option probably is to disable direct internet acces, thus forcing all internet traffic through a proxy. Then configure this proxy to require authentication (ideally against the Active Directory[AD]). That way, everyone has to authenticate to go online.



                      Disadvantages:



                      • If any programs on the server require net access, they need to get special service accounts that grant them access (either real AD accounts, or just special accounts on the proxy). These accounts will of course need to be protected.

                      • If some programs or users require protocols that cannot be easily proxied (e.g. exotic protocols), you will have to find a case-by-case solution.

                      • It will mean extra configuration for all users (though I believe some browsers can automatically log on to a proxy)

                      I have never implemented this, but I believe it should work. At least Squid lets you authenticate against an AD; I assume other proxies can do the same.






                      share|improve this answer





























                        0














                        The only realistic option probably is to disable direct internet acces, thus forcing all internet traffic through a proxy. Then configure this proxy to require authentication (ideally against the Active Directory[AD]). That way, everyone has to authenticate to go online.



                        Disadvantages:



                        • If any programs on the server require net access, they need to get special service accounts that grant them access (either real AD accounts, or just special accounts on the proxy). These accounts will of course need to be protected.

                        • If some programs or users require protocols that cannot be easily proxied (e.g. exotic protocols), you will have to find a case-by-case solution.

                        • It will mean extra configuration for all users (though I believe some browsers can automatically log on to a proxy)

                        I have never implemented this, but I believe it should work. At least Squid lets you authenticate against an AD; I assume other proxies can do the same.






                        share|improve this answer



























                          0












                          0








                          0







                          The only realistic option probably is to disable direct internet acces, thus forcing all internet traffic through a proxy. Then configure this proxy to require authentication (ideally against the Active Directory[AD]). That way, everyone has to authenticate to go online.



                          Disadvantages:



                          • If any programs on the server require net access, they need to get special service accounts that grant them access (either real AD accounts, or just special accounts on the proxy). These accounts will of course need to be protected.

                          • If some programs or users require protocols that cannot be easily proxied (e.g. exotic protocols), you will have to find a case-by-case solution.

                          • It will mean extra configuration for all users (though I believe some browsers can automatically log on to a proxy)

                          I have never implemented this, but I believe it should work. At least Squid lets you authenticate against an AD; I assume other proxies can do the same.






                          share|improve this answer















                          The only realistic option probably is to disable direct internet acces, thus forcing all internet traffic through a proxy. Then configure this proxy to require authentication (ideally against the Active Directory[AD]). That way, everyone has to authenticate to go online.



                          Disadvantages:



                          • If any programs on the server require net access, they need to get special service accounts that grant them access (either real AD accounts, or just special accounts on the proxy). These accounts will of course need to be protected.

                          • If some programs or users require protocols that cannot be easily proxied (e.g. exotic protocols), you will have to find a case-by-case solution.

                          • It will mean extra configuration for all users (though I believe some browsers can automatically log on to a proxy)

                          I have never implemented this, but I believe it should work. At least Squid lets you authenticate against an AD; I assume other proxies can do the same.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Apr 13 '17 at 12:14









                          Community

                          1




                          1










                          answered Dec 14 '11 at 9:15









                          sleskesleske

                          8,43232440




                          8,43232440



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Server Fault!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f338522%2ftotally-blocking-internet-access-though-group-policy-on-windows-server-2008-r2%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

                              Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

                              Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020