Revoke user access to Internet via Group Policy method

When an admin needs to revoke someone's Internet access, one of the cleanest and most "native" methods involves using Group Policy.

If your organization has specific rules about Internet access, odds are someone is going to have their access revoked...

at some point. When this does happen, it's best to make the process of revoking or restoring access as transparent and painless as possible.

I've seen several ways to do this, but one of the cleanest and most "native" (i.e., the one that makes the best use of existing functions within Windows) is a method that involves using Group Policy to enforce a novel restriction on the target user. The method sets the Internet proxy server for the user's system to a nonexistent proxy server and prevents the user from making any changes. The "proxy" is actually just the local host -- -- so all proxy requests are redirected right back to the system that sent them.

Many third-party programs that attempt to access the Internet, whether for their own sake or to provide access for a user, can detect and make use of the Windows network proxy settings. They are the same settings as those configured in the Control Panel under Internet Options | Connections | LAN Settings. If these programs can have their connectivity settings changed by the end user (as is typically the case with Firefox), then this proxy-blocking technique may not work.

However, this method can get more complicated with some third-party programs. For instance, Firefox can automatically detect proxy settings, but it is difficult to lock down these settings since Firefox uses a local preferences configuration file rather than a Registry entry that can be Group Policy-enforced. It is possible to lock down the settings without using Group Policy, but this approach is not very elegant and more or less begs to be circumvented with time. (There is not yet an officially supported way to integrate Firefox with Active Directory or Group Policy.) Therefore, this is something you only want to use when you can manage every aspect of the target desktop's applications.

Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

More information from

This was first published in February 2006
This Content Component encountered an error



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: