How do I block a users internet?

[StraightPipe]

I'm an admin, running Windows Server 2003 Small Business. I'm setting up a laptop for a user, who needs access to our server, but not to the internet. What is the easiest way to go about it?

I thought about rigging the firewall to block their IP, but havent been able to figure it out yet. (and dont want to screw up the firewall)

I searched the web, but couldnt find an answer, just lots of people selling software to block porn from their kiddies.

Thanks!

****edit*****
I dont care if the user can ever access the internet, but I do want other users to be able to from the same lappy.

the laptop will not be mobile for the limited user. we have it setup as a workstation with Keyboard/monitor/mouse

 

[scottws]

I think the firewall will be the best bet. You should be able to bind the MAC address to a certain IP address, and then disallow Internet traffic for that IP.

My SOHO Belkin router can do the Internet traffic part, but I can't bind the MAC to a specific IP.

 

[nweaver]

don't put a default gateway in (assuming you are on one subnet)

 

[scottws]

I thought of doing that, but since he said it was a laptop, I thought maybe the user might go to different networks and therefore probably needs DHCP enabled.

 

[skyking]

Are you using the server as a gateway also, and dhcp server? If not, what is doing the routing?

 

[corkyg]

Originally posted by: scottws
I thought of doing that, but since he said it was a laptop, I thought maybe the user might go to different networks and therefore probably needs DHCP enabled.

My laptop could access the Internet independent of your server. So, what is the objective? Total Internet denial, or simply access through your server?

The former case can only be dealt with on a personal disciplinary basis - i.e., you tell the person that Internet access is not part of his/her job and no access to it is allowed on company time. Attach a "you're fired" penalty to that rule and move on.

Another approach is to prohibit any personal machines. You provide a work station if it is needed, and thereby control all access simply by not having a browser installed in it.

 

[Smilin]

Dude, you are already running an ISA server. Drop a rule in to: Deny, from all, to all for specific user (your guy).

 

[StraightPipe]

I was thinking that I could deny wqith the firewall, but I think I can only do this effectively with a static IP. (is it possible with DCHP?)

I had also considered deltering IE and Firefox, but that would also affect other users.

is there a way to only disable for the one user?
maybe just delete all their links to IE and firefox, and hope they dont know how to use the run command?

I keep thinking that there has to be a way to setup the user profile without rights to access internet.

Originally posted by: Smilin
Dude, you are already running an ISA server. Drop a rule in to: Deny, from all, to all for specific user (your guy).

please elaborate. I know how to do the IP on the firewall, what about ISA server being able to block a user?

 

[StraightPipe]

Originally posted by: skyking
Are you using the server as a gateway also, and dhcp server? If not, what is doing the routing?

were using a T-1, firewall, and router

 

[skyking]

make an IP reservation for his mac address, block that ip to the internet, done.

DHCP server should hand out that IP to only his lappy and no other.

 

[RebateMonger]

If he needs the ability to travel and get a DHCP address, but you don't want him browsing the Internet from ANYWHERE, then you have few choices:

First, make him a Local "Limited User" on his laptop, so he can't change his networking settings. He won't be able to install most programs (including viruses, worms, and trojans), either.

Then:

a) Set his Default Gateway permanently to some weird number
(Note: If he has access to a home router, he can set the router's IP addess to that value and will have home access to the Internet).

or

b) If you have ISA Server (which it doesn't sound like you do), you force your ISA box to be his his permanent Proxy Server. Then Deny him Internet Access in ISA.

How's he going to get his email when he travels? He, obviously, won't be able to Remote to his desktop to grab files, etc., either. Is he going to be able to get his job done while he's away? In fact, I can't think of many circumstances where he'd need DHCP on other networks...but no Internet access from there.

 

[drag]

Originally posted by: RebateMonger
If he needs the ability to travel and get a DHCP address, but you don't want him browsing the Internet from ANYWHERE, then you have few choices:

First, make him a Local "Limited User" on his laptop, so he can't change his networking settings. He won't be able to install most programs (including viruses, worms, and trojans), either.

He probably won't be able to run a bunch of programs either. Make sure that all his applications he wants to use work before doing that.


What we do for people that want internet access, but not to internal services, is to not allow visitors to connect to a wired port, but we got a cheap wireless router and let them use that. It's on a different network segment from everything else.

I would be easy to set that up and then have the cheap router assign dhcp to the laptop and block a few ports on that. Maybe setup a VPN from the router to the server and just not allow any other network access.

Something like that.

there are a few different ways you could approach this...

 

[Brazen]

put his user account in it's own GPO, assign it a group policy that assigns a proxy server that doesn't exist.

 

[StraightPipe]

I dont care if the user can ever access the internet, but I do want other users to be able to.

the laptop will not be mobile for the limited user.

 

[scottws]

Yeah, then hose the default gateway address on the laptop.

 

[Smilin]

There is no "rigging" that needs to happen here. Your SBS server already has an enterprise class firewall built into it. Run you 'net into the SBS server then from the SBS server to your internal routers/switches. Turn on ISA, create a rule that allows anyone in an a particular AD user group access out. Leave your buddy out of the group.

 

[StraightPipe]

What about changing Program Access?

I know I can disable IE and firefox there, for each individual user. the problem is that the user doesnt have permision to change these settings.

maybe I can bump up their rights, disable, and drop their rights.

 

[Zugzwang152]

do it on the firewall. assign his MAC to pull from a 1-address DHCP pool. for that IP, allow LAN -> LAN traffic, deny all LAN -> WAN.

 

[Zolty]

set the DNS to 127.0.0.1

 

[imported_Baloo]

I suggest posting for a more qualified network Administrator...😉

 

[TrevorRC]

/true Baloo.

Straight, how are you a network admin? Or is it just a side task you take care of?

Anyway, the question has been answered multiple times--hose his default gateway, give him limited network access, problem solved.
:]

 

[piercey]

Originally posted by: Baloo
I suggest posting for a more qualified network Administrator...😉

It's amazing how true this statement is.