Restricting internet access in a policy

I need to create or modify a policy (either local or domain) to elliminate internet access for some production machines.

I dont want to do it on a network level because I still want the machines to receive Windows and virus updates as well as receive exchange E Mail.

Any suggestions?

 

Do you have a proxy server?
Firewall?
Dns server to resolve only internal requests?
If you have it you can do that.
You can force the proxy settings of IE or you can set one dns that just will resolve internal requests.
You can create on group and add the computer accounts to that group as members, then restrict that group on proxy server.
Sorry my english

 

Thanks for the suggestions. I dont want to do it at the network level because that would block windows updates unless proxi as you suggested.

If nothing else I guess I could get rid of IE shortcuts and create a local policy to prevent software install.

The users i'm targeting wouldnt know how to find ie.exe


I bet there is something in Local policy but I wouldnt even know where to start looking.

 

Scott - if all you need to do is prevent some users from running the app, you can set security on the .exe so it requires power user or admin or something.

 

Thanks Newt I will play with that and see what happens.

 

If you install WSUS then you can use a proxy to block access to the internet on a network level. Installing WSUS will have added advantages of making it possible for you to control what updates are distributed on your network, and you can even control which computers get updates, and which don't. It will also save you a lot of bandwidth, as you will only have to download one copy of each update. Additionally it can greatly increase the time it takes to setup a new computer, as it will automatically download all the required updates over the network.

Regarding your virus guard, if you are using McAfee you can make one computer download a copy of the virus updates and then get all of the other computers to download the updates from that computer. To do this go on to the Virus Scan console and then go onto the Tools menu and select New Mirror Task. You then make it download the updates to a shared folder.
On each of your clients you can then change their Autoupdate Repository List to download updates from that shared folder.



With my current setup the server downloads virus guard updates and Microsoft updates at about 5am. The clients then download the virus guard updates on startup, and the windows updates are distributed at about 11am.

Hope this helps.



a60wattfish