Hey all,

I realize a majority of people here are Linux-oriented, but I'm hoping some MS people lurking out there are reading too...

I have a question regarding Group Policy in Active Directory. I've searched the internet high and low, and posted in other various MS/AD/whatever oriented groups and forums - and have come up with not much. Knowing that this forum is an excellent resource, hopefully someone else here has run into this situation or one similar.

I am trying to apply an IP Security policy to a group of users using a GPO - but you can only apply IP Security policies under the computer configuration and therefore I cannot effect this change to specific users and only specific computers.

Here is the scenario: I want to restrict access to the Internet. I could just allow access to all computers by default, then create a security group (ie "DenyInternet"), add computer accounts to that group that I don't want to have access, then configure that group to apply a GPO that denies HTTP/HTTPS using an IP security policy. This works now.

But, because users often hop around different machines, this will not work. Its almost like Group Policy Loopback Processing - but the other way around. Instead of applying user policies based on the location of a computer account, I want to apply a computer policy based on a user account. But since the computer policies process when the computer turns on and not when a user logs on, I may have just answered my own question. But I'm hoping someone out there might have a better solution or know something that I don't.

Currently, users are restricted from the internet by way of an authentication applet which is very annoying.

Thanks,

If it were me, I'd simply ignore the whole Group Policy thing (since some users might be running Win98 which doesn't have that crap anyway), and just use Microsoft Proxy server for their internet connection. Then you can choose which users and groups get access from the proxy server's console.

Agreed - but spending money (on IAS) isn't a very popular option, especially when I'm fixing something that isn't really broken.

Remember, I'm trying to "do more with less".

Remember, I'm trying to "do more with less".

Ah. In other words, the exact opposite of what Windows stands for (which is "do less with more").

Short of installing a third-party proxy or NAT I think your only option is to use the Group Policy setting under User Config/Windows Settings/Internet Explorer Maint/Connection/Proxy Settings and set the proxy server address to a non-existant address for those "banned" users. Of course, once they figure out they can install Opera or Netscape you will be screwed on this one, but if your users aren't particulary creative this will work.

Do you have internal websites that have to be accessed by these users? It'd be possible to deny use of IE on a per-user level.

-Zeke

I think your only option is to use the Group Policy setting under User Config/Windows Settings/Internet Explorer Maint/Connection/Proxy Settings and set the proxy server address to a non-existant address for those "banned" users

Hmm I hadn't thought of that but I think I'll give this a try. Thanks for the tip! Our users are not terribly proficient.... so little worry about rogue Opera or Netscape installs. Some still have trouble using a mouse.