Windows Server - Unable to block internet access through GPO by using a proxy

Asked By BeckyBoo12 on 15-Jan-09 04:50 AM
Hello.
I have been trying to block internet access to a few certain users by
setting up a GPO which uses a proxy to block access to the net.
I read in several places that this was the bext way to do it.
So, I created a new GPO called "No intenet" amongst other things, I set the
proxy settings to 127.0.0.1 and then appled the ploicy to the users in
question.
All of my plicy has taken effect, I can see everything in place. It even
displays the proxy that I put in.
However, when I attempt to browse it still allows internat access even
though the proxy is in place.
It looks like it is just ignoring this setting. Is there anything I can do
to force this setting to be active?




Meinolf Weber [MVP-DS] replied on 20-Jan-09 09:07 PM
Hello BeckyBoo123,

Did you check on the client with gpresult /v that the policy is applied?
If you not use gpupdate command it can take up to 120 minutes.

Also are you aware that this policy only applies to IE?

If a user runs firefox or any other web browser from USB for example the
policy will not help. You have to use a real proxy like ISA server or SQUID(free).

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Florian Frommherz [MVP] replied on 15-Jan-09 05:33 AM
Howdie!




It certainly isn't. Setting the proxy address only catches IE - other
browsers, applications and stuff can use the configuration the
LAN-Connection has configured.


The policy is applied to the users? Can you confirm with gpresult and
rsop.msc?

Apart from that - to really make sure the internet access is blocked, check
for a firewall/proxy implementation that is capable of using AD as a base.
ISA and Squid can do that - there are also others (free). Blocking access on
the clients is bad design. You're configuring file access on the shares on
the servers - not at the clients, right? You should do that with the
internet access, too.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
BeckyBoo12 replied on 15-Jan-09 05:56 AM
Yes, gpresult on the user profile shows that the policy I have set up is
active and no other policies are over riding it.
We have no other browsers installed on our Terminal servers, only IE7.

Can you suggest anything else?
BeckyBoo12 replied on 15-Jan-09 06:15 AM
I can confirm both of those, this is my gpresult:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\tuser>gpresult

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 15/01/2009 at 11:02:30


RSOP data for ******\tuser on TS1 : Logging Mode
-------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Standard
Edition
OS Configuration:         Member Server
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   N/A
Roaming Profile:
Local Profile:               C:\Documents and Settings\tuser
Connected over a slow link?: No


USER SETTINGS
--------------
CN=Test User,OU=No Internet,OU=***** Users,DC=*****,DC=local
Last time Group Policy was applied: 15/01/2009 at 10:23:34
Group Policy was applied from:      dc1.*****.local
Group Policy slow link threshold:   500 kbps
Domain Name:                        *****
Domain Type:                        Windows 2000

Applied Group Policy Objects
-----------------------------
No Internet Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering:  Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
TERMINAL SERVER USER
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
RDP Users

And my rsop.msc results show that proxy settings are enabled, using
127.0.0.1 for all addresses.

At some point we will be upgrading our firewall but at the moment it has no
capabilty of blocking access for certain users only so using a GPO seems like
the only option. Do you know the names of any free software which can do this
for us?

I understand completley what you are saying. I will bare this in mind,
hopefully the MD's will let us spend money to avoid this.
JAMiE13 replied on 15-Jan-09 06:39 AM
Hi Becky,

I agree with the others that blocking by the client side is not good
practise; however we sometimes need to make do with the resources we
currently have implemented. Are these users on the TS using applications that
are web base? If they do not need to use the web browser then you could
create a GPO user configuration software restriction policy to prevent
specific users from using the web browser application.



http://support.microsoft.com/kb/324036

http://technet.microsoft.com/en-us/library/cc737304.aspx

Regards,
BeckyBoo12 replied on 15-Jan-09 07:17 AM
Hi thanks for all of the responses. That is a good idea, I will be able to
apply that if all else fails, however these users will require IE access for
local intranet and also authorised courier sites eg DHL TNT parcel tracking.

Is there a way I can still allow access to these sites while blocking any
other web activity by using something other that proxy settings (as this does
not seem to work anyway!)

Cheers!
JAMiE13 replied on 15-Jan-09 08:08 AM
Hi Becky,

So they need to access certain sites on the internet and the lntranet site
as well. What is the proxy settings that you configured on the user
configuration GPO?

Regards,

Jamie
BeckyBoo12 replied on 15-Jan-09 08:51 AM
Yes thats right Jamie.
Do you mean what proxy address did I apply? If so, I first tried 0.0.0.0
which didn't work, then I changed it to 127.0.0.1 which also doesn't work.

Thanks for your suggestions so far.....keep them coming!
JAMiE13 replied on 15-Jan-09 09:18 AM
In my last reply i was referring to the settings in the GPO. such as the
options you selected.


Try using localhost and the port 8080

Instead of doing this through gpo during the testing phase, try logging onto
the server and settings these in the internet options to test with a test
user account When configuring in the internet options make sure just to tick
the options specified under proxy server

I know this should work because sometimes I go home and my work laptop will
have proxy settings configured and will block my browsing the internet until
i disable the proxy settings.

Regards,

Jamie
Phillip Windell replied on 15-Jan-09 11:43 AM
Becky,

I hate to drop in late in a long thread and be a "stick in the mud",...but
this whole endevour is pretty much a waste of time.  Controlling user's
access to the Internet is not what GPO is for.  GPO is basically a glorified
want.

What you need is a firewall or a proxy server that can control access based
on Active Directory User Accounts.

The only product I know that does this *well* because it was intensionally
designed to be that way from the start is MS's ISA Server 2004 & 2006.   The
next version of it  is having a name change to MS TMG (Threat Management
Gateway).

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
BeckyBoo12 replied on 15-Jan-09 12:21 PM
YIPPEEEEEE! SUCCESS!!

I did what you said, I removed the currect proxy settings from the GPO,
logged in to the test user profile and adjusted the proxy to local host which
worked straight waway. So I then removed it from the proxy settings on the
user profile and but the same settings back on the GPO and it worked like a
dream.
All the settings are now locked down so they can't change these proxy
settings and I have allowed some exceptions to allow access to the courier
sites they need.

One last thing, when they browse and are blocked by the policy, they will
get the standard "page cannot be displayed" message. Is there anyway we can
customise this with a standard company message e.g "this is not one of your
authorised sites, please contact IT if you need it unblocked"?
BeckyBoo12 replied on 15-Jan-09 12:37 PM
Hi, thanks for the input. I understand that, as I mentioned in my earlier
reply, our firewall does not currently have this capabilities. This is a
temporary messure until we upgrade, but it is a crucial one as we have had
users managing to bypass our content filtering and breach company policy.

Thank you anyway.
JAMiE13 replied on 15-Jan-09 09:05 PM
Hi Becky,

I have found the perfect solution for you considering the company budget
etc. It is a freeware Proxy server called Freeproxy400. I have downloaded and
installed it in my test lab and it works a treat. It is also Active Directory
aware; therefore you can restrict sites by AD group membership. Doesnt
compare to ISA server; however it would be better than using a GPO to control
this traffic. You can configure granular permissions, for example allowing
users in a specific group to access specified sites and and allowing another
group full access. If you are interested and need assistance with the
configuration let me know.


http://www.handcraftedsoftware.org

Have a great day

Regards,

Jamie
BeckyBoo12 replied on 16-Jan-09 03:38 AM
You have amazed me! You certainly know your stuff.
I am in the process of downloading this right now, you are right, it looks
perfect for our needs!

We have only just installed out 2003 servers and were totally unix based
before so all of this is very new and it is taking a while to get my head
around it! None of our PC's are even on the domain yet (thats the next
problem I will be asking about) but we have loads of RDP users who are
getting out of control.
If I have any more problems, I will be looking for you straight away!

Thank you again Jamie! :-)
JAMiE13 replied on 16-Jan-09 04:04 AM
Hi Becky,

I am glad to assist you in your transition to a Microsoft network. I know
how I would feel if I had to migrate to Unix environment. I am also currently
working on a project which consists of merging 7 organisations into one
network. This has been an exciting time, acually we kicked off the first
pilot migration yesterday.

Any how my email is: jamiepederson1@msn.com feel free to drop me a line if
you require any assistance with the proxy configuration


Regards,

Jamie Pederson
BeckyBoo12 replied on 16-Jan-09 06:58 AM
Great! I have added you to my address book and emailed you :-)