Over time, I've heard many admins ask about controlling some users' Internet access. I've had good success using the method below in an Active Directory environment.
My company has three levels
First, create two groups: InternetAllowed and Internetlimited. We will make "Internet not allowed" the default policy, thereby using positive reinforcement of the Internet access policies.
Add users who you wish to have Internet access to only one of the two enabled groups. If a user is not in one of the allowed groups, they cannot access the Internet.
Open group policy management in the the root or root of a particular OU containing your user accounts. In this example I will use the OU XYZ.COM with the user accounts in the child OU called USERS. The policies will be created and applied at the parent OU XYZ.COM.
(Note: I am using GPMC for Windows 2003. Windows 2000 admins can make all of the same configurations, but will find the settings in a different format.)
Create a policy called InternetDisabled. Set the policy to enforced, and disable the computer policies to speed up the reading of the policy. In this policy, open for edit, goto the user settings, Windows settings, Internet Explorer maintenance, connections, proxy settings. In the proxy server, put in a fictitious name like NOJOY and a fictitious port 888. Close this policy from edit. We'll leave the Authenticated users as APPLY because we do want everyone to be denied access with this policy.
Create a second policy, called InternetLimited. Set the policy to enforced and disable the computer policies to speed up the reading of the policy. In this policy, open for edit, goto the user settings, Windows settings, Internet Explorer maintenance, connections, proxy settings. In the proxy server, put in a fictitious name like NOJOY and a fictitious port 888.
Now we get to specify the Internet domains we want the limited users to access. Any not specified will be denied. In the Exceptions area, create entries like this sample string inside the quote marks: "www.google.com; news.google.com; *.msn.com" etc. Note: This box will allow you to type pages of entries, but it will truncate anything over 512 characters.
Notice the Internetlimited has been manually moved up in order.
In these examples, I am being very specific for Google, but am allowing anything at msn, yahoo, etc. These are simply examples of the syntax; your company's choice of sites will certainly differ.
Now here is where we set the group to be applied to this particular policy. In the security propertied, uncheck the authenticated users APPLY POLICY, add the InternetLimited group, and check APPLY POLICY.
You will notice that APPLY is unchecked. Only the Internetlimited has APPLY checked.
We also have to make sure of the order of the policies. This policy must be higher up (lower order number), above the InternetDenied policy so it is applied after the default deny policy, which of course will only be those users in the InternetLimited group. Remember: Policies are read from bottom to top of the Active Directory tree.
Now for the last ingredient: the InternetAllowed (unlimited) users. Create a third policy, called InternetAllowed. Set the policy to enforced and disable the computer policies to speed up the reading of the policy. We do not need to configure any settings in this policy. We are going to let it "override" the proxy settings of the default deny policy.
Now we set the group to be applied to this particular policy. In the security propertied, uncheck the authenticated users APPLY POLICY, add the InternetAllowed group, and check the APPLY POLICY. We also have to make sure of the order of the policies. This policy mustbe higher up (lower order number), above both the Internet Denied policy and the InternetLimited policy so it is applied after both, which of course will only be those users in the InternetAllowed group.
It is possible to have more than one InternetLimited policy and group that can be specified for a different set of exception sites. But keep in mind: You cannot combine, due to the 512-character limit. If you have users in more than one policy, the last will win, always.
Note: I have seen it take a couple of log-in cycles before some policies take full effect, and policies may not take effect until all Active Directory controllers replicate these policy changes. It all depends on your particular environment.
Here's a more detailed document with screen captures.
Let us know how useful this tip was to you by rating it below. And if you have a Windows tip,
timesaver or workaround to share, submit it to our tip contest. You could win the monthly
This was first published in January 2007