Group Policy - Restrict Internet Access by OU?

Ripley

unread,

Aug 22, 2005, 4:43:33 AM8/22/05

to

I have a SBS 2003 and multiple users. I've split some of these users off into
their own OU so that I can create a new Group Policy for them which is
different than the standard. I also would like to restrict this group's
internet access. Easy enough, as I could restrict access to the whole
ieexplore.exe program. BUT - I want them to be able to access our Intranet
ONLY, and nothing else on the Internet.
I can't work out a way to do this and have been unsuccessful in my efforts
up until now. For instance, if I tick the connection settings as
"Automatically detect", their machines are able to go on the internet as
normal. Is it possible to do what I am trying to do? The SBS 2003 server is
directly connected to the internet, so all machines just have their
"Automatically detect" option ticked to route through onto the internet.

Charles Yang [MSFT]

unread,

Aug 22, 2005, 10:19:40 PM8/22/05

to

HI,

Nice to hear from you again.

Issue description:
===========

From your description, I understand that you want to restrict user to
access internet through policy.

Analyzing and suggestions:
===========

Before we go any further, please note that it is not possible to restrict
user to access internet via OU and group policy, we have such option only
on SBS premium edition.

Here I would like to give you some suggestions on them:

ISA:

Create a Protocol Rule
=====

We need to create a Protocol Rule to allow HTTP, HTTPS and FTP protocols,
and then apply it to the specific user group. You can create special group
to allow only special OU to access internet, by default in SBS only
internet user group will be allowed, you can remove this group and add the
OU or group you want.

Standard:

In SBS 2003 standard, we have no such option to restrict the user to access
internet via group or OU. We can only restrict user to access internet via
IP address, please refer to following section:

1. Assign static IP addresses to the clients, you can use DHCP to assign
the IP address based on Mac then you can assign a static IP to client
computer via DHCP.
2. Configure RRAS to filter the IP addresses. (outbound filter on network
connections)

For more information, please refer to this Knowledge Base article:

825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763

In addition, you can use GPO way by creating a restricted OU and
restricting IE settings on the Users in the OU. Please refer to the
following section:

Web Proxy "poisoning", with company intranet site as expectation to use
proxy settings, combined with lockdowned IE settings enforced via Group
Policy.

I'll create a new group called internet access. I'll add users who are
eligible for internet access. I'll exempt this group from the new group
policy setting that forces an invalid proxy (my choice of IP as long as it
is invalid on the domain)setting into IE, I'll also list in the "Use these
proxy settings except for the following sites:

1. CLient URL for their intranet. <Maybe also *.microsoft.com so windows
updates works on each WKS. Maybe not if I roll out SUS for the LAN>.
2. Make sure that through group policy user cannot alter the IE connections
settings or remove the bogus proxy.

This solution should allow internet access for those members of internet
access group (do not get bogus proxy address) and forbid it for those who
do not belong to the internet access group (receive the bogus proxy address
and cannot alter/remove it).

It also meets my needs for continued Intranet access for ALL, but please
note that it is only a good solution if the client computer use IE for
internet access, if they change the explore the suggestion above is not
worked at all, all the user will be allowed to internet.

We appreciate your understanding, if you have any further concerns; please
feel free to post here. I am glad to help you.

Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Ripley

unread,

Aug 23, 2005, 4:08:02 AM8/23/05

to

Thank you for your comprehensive answer. I certainly have more options than I
first thought.

However, I seem to have omitted the fact that I actually DO have SBS Premium
2003 edition on my server. So I'm guessing the best way would be to create
this group you mention in ISA. Problem is that I can't see ISA anywhere on my
server. Is it not installed by default or something?

I wonder could you advise on where to find ISA, how to install if it's not
done so by default, annd perhaps add more on this theory of adding a group in
ISA to then attach to the global policy?

Thanks.

Charles Yang [MSFT]

unread,

Aug 23, 2005, 5:48:15 AM8/23/05

to

HI,

Thanks for updates.

From your description, I understand that you have SBS premium, as I know if
you could not find ISA on SBS 2003, you can use SBS premium technology disk
to install ISA server.

1. You can check the last disk of your SBS package, you will find a
document that introduce how to install ISA on SBS 2003.
2. After you install ISA, please refer to following section for how to
restrict internet access on special user group.

Open ISA management, create a new protocol Rules at Servers and
arrays\YourServer\AccessPolicy\Protocol Rule with following content.

Action: Deny
Protocol: All IP traffic except selected: HTTP
Apply to: Users and groups specified below: ''limit group''

Then, your user could only access HTTP (TCP 80). Please continue the
following to restrict the site content.

Open ISA management, create a new Destination Set at Servers and
arrays\YourServer\Policy Element\Destination Set with following content.

Destination Set name: you specify
Destination entry: the website that is allowed to access such as XYZ.com

Open ISA management, create a new Site and content Rule at Servers and
arrays\YourServer\AccessPolicy\Site and content Rule with following content.

Destination: All destinations except selected set: choose the destination
set you created above
Action: Denied
Applied to: Users and groups specified below: Limit Group
HTTP content: All content groups.

Hope this helpful, please feel free to let us know. I am glad to help you.

Best regards,

Charles Yang (MSFT)

Get Secure! - www.microsoft.com/security

| thread-index: AcWnuci7oa0Wsbl0SD6Ipd5k7BfKLg==

| X-WBNR-Posting-Host: 81.138.254.211
| From: =?Utf-8?B?UmlwbGV5?= <Rip...@discussions.microsoft.com>

| References: <52106E7D-7CFD-4794...@microsoft.com>
<HH5Sjk4p...@TK2MSFTNGXA01.phx.gbl>
| Subject: RE: Group Policy - Restrict Internet Access by OU?
| Date: Tue, 23 Aug 2005 01:08:02 -0700
| Lines: 182
| Message-ID: <A2B17812-EE03-4174...@microsoft.com>

| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:146910
| X-Tomcat-NG: microsoft.public.windows.server.sbs

bbohio

unread,

Aug 23, 2005, 12:51:44 PM8/23/05

to

Charles-

Your knowledge is impressive. Maybe you can help with a very simple
question in regards to SBS '03 Premium. There is a server in NC I
must access to install SQL Server 2000. The client is going to leave
the CD in the server overnight but they are saying about 8 CD's came
with SBS '03 Premium and want to know which one has SQL Server 2000
on it.

The on labeled "Windows Small Business Server 2003 Premium Edition"?

Thank you for any help on this matter.

Brandon

Charles Yang [MSFT]

unread,

Aug 23, 2005, 8:56:15 PM8/23/05

to

Hi,

Thanks for updates.

From your description, it seems you get a new SBS 2003 premium with SP1,
you will have 8 CD, as I know the first 5 CD should be SBS 2003 Premium and
the left 3 should be SBS 2003 SP1.

The Premium Tech CD which include ISA 2004 and SQL 2000 SP4 should be in
the last CD, and the SQL 2000 should be on the same CD. The one which is
called Premium Tech CD.

Thanks for your efforts.

Best regards,

Charles Yang (MSFT)

Get Secure! - www.microsoft.com/security

--------------------
| NNTP-Posting-Date: Tue, 23 Aug 2005 11:51:44 -0500
| Subject: re:Group Policy - Restrict Internet Access by OU?
| From: hondaci...@yahoo-dot-com.no-spam.invalid (bbohio)
| Newsgroups: microsoft.public.windows.server.sbs
| Mime-Version: 1.0
| Content-Type: text/plain; charset=ISO-8859-15
| Content-Transfer-Encoding: 8bit
| User-Agent: newsSync (Windows Server) 184271
| References: <52106E7D-7CFD-4794...@microsoft.com>
| Message-ID: <hKqdndX4Xae...@giganews.com>
| Date: Tue, 23 Aug 2005 11:51:44 -0500
| Lines: 1
| X-Trace:
sv3-DG7nlXgd9YQl6HX4aAHZRDzCH6gEgQxga9Z8D7JbgSWh3praTXLw08h1HXC2nCGVdgJqYJgK
xd0cUNa!cHAtXTTbSZaziQbf/8oV/HV7wWgER5TjhckiIw0vE2B1k7AW2iT1X4pCE4iZ
| X-Complaints-To: ab...@giganews.com
| X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!nntp.giganews.com!border1.nntp.dca.gigan
ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:147039
| X-Tomcat-NG: microsoft.public.windows.server.sbs