RE: Stop browsing the web through GP?

["Faisal Masood" <faisyuet () wol net pk>]

Well as said earlier, restrict access to IE or better use some good
firewall where you can restrict individuals.

I've been using MS ISA Firewall for the last 2 years for restricting
users to access certain sites & to manage net access effectively.

Using group policy .... well there is no such option. 

But off the way you can do one thing. Open Group Policy of the OU whose
users you want to restrict. There check Internet Explorer settings.
There is a setting where can specify LAN settings for the browser of
that OU users. Say if u have a gateway / firewall named NetServer
listening for proxy requests at 3128. In GPO, IE settings enter some
dummy entries say.... DummyServer with any port e.g 3128. Also make sure
to set a GPO setting where users can't change their IE LAN settings. 

So now what happens, when users from that OU try a connect to a site,
they would get no reply as their request would be going to non-existent
proxy. Using this method those users can browse your local sites.


Give it a try ;)


Regards

Faisal Masood (FM)

Lahore, Pakistan



-----Original Message-----
From: Dave M. [mailto:curb_security () aon at] 
Sent: Tuesday, September 16, 2003 10:50 PM
To: security-basics () securityfocus com
Subject: Re: Stop browsing the web through GP?

Spencer D'oro wrote:

> I have a Windows Server 2003 domain.  I am looking for a way to keep
> users in a partcular OU from browsing the web.  I want to accomplish
> this through Group Policy, but I can't find anything in the ADM
> templates for Users or for Computers.  Is there another ADM template I
> am missing?  Or is the policy all ready present and I am missing it?  I
> have tried searching on Tech-Net and Google and I haven't been able to
> find anything.  Please help.
>
> Loki
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
>
>
>
> -----------------------------------------------------------------------
----
> Captus Networks 
> Are you prepared for the next Sobig & Blaster? 
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
> - Precisely Define and Implement Network Security 
> - Automatically Control P2P, IM and Spam Traffic 
> FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
> http://www.captusnetworks.com/ads/42.htm
> -----------------------------------------------------------------------
-----
>  
I suggest to configure the proxy that nobody can acces the inet. Its 
also possible to
restrict the acces to IE

regards

Dave



------------------------------------------------------------------------
---
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------