# Disable network access for one local user account



## GoranM (Jul 31, 2007)

I have one PC (WinXP Pro) which has two local user accounts. This computer is connected to workgroup. First user (belongs to Administrators group) should be able to access workgroup resources (this is not a problem). Second user (belongs to Users group) should not be able to see workgroup at all (so I cant use NTFS permissions). Is this possible and how?

Thanks,
Goran


----------



## justpassingby (Mar 11, 2007)

Hi GoranM !

It's doable using the group policy settings (start => run => gpedit.msc) :



> To prevent a user from accessing the internet:
> 
> 1. Select the No Internet group Policy under your domain and press Add under Security Filtering.
> 
> ...


Source : http://windowsitpro.com/article/art...ernet-access-for-a-specific-user-account.html

If this method doesn't work check the other method in the above article.

Else there's also this : http://www.howtonetworking.com/Internet/restrictie11.htm


----------



## GoranM (Jul 31, 2007)

justpassingby, I think you didnt understand my question.

- This problem is not internet related, this PC doesnt have internet connection
- this is a workgroup in question, not a domain
- one PC in question, two local user accounts on it

I want to deny access to one user to local network. This has to be done not using NTFS permissions, but the user should not even see the network. I am guessing either some policy that will change IP settings, or to stop some service like Workstation.


----------



## justpassingby (Mar 11, 2007)

Sorry, I only read the title and didn't focus on the description.

Found a commercial program (not free, there's a downloadable demo but probably limited in time or features) that had these options : 
http://www.softheap.com/help/newadmin/network_and_workgroup.html
Is this what you're trying to do ? Sorry I can't be of more help.


----------



## GoranM (Jul 31, 2007)

Well, network access doesn't necessarily mean internet access.  This software from the first look only hides information in Network places, I don't see anywhere it mentions it completely disables network access, so user could access it by manually typing resource.


----------



## justpassingby (Mar 11, 2007)

You could use ntfs permissions on top of it so he can't access the folders.

If you set the other account as a limited account I believe you can restrict his access even more but I can't help much with that, I have always had a single user account and I use XP Home. Maybe someone from the networking team will know more.


----------



## GoranM (Jul 31, 2007)

Well, there are already Share and NTFS permissions set on the server PC, but as I said, this user should not be able to SEE the network at all, this is a requirement.

I am still busting my head with this, I just cannot understand why is this so difficult - to set for particular user profile "no network connection allowed".


----------



## user501sc (Nov 25, 2007)

Do not know if this will solve your problem, but have you looked at setting up a profile in device manager for this user. You could disable the network adapters and remove any connectivity for that user/profile. Just a thought.


----------



## GoranM (Jul 31, 2007)

Hardware profile is something that is set before the user screen is displayed, and when chosen if applies for all users. so its not applicable in this situation.


----------



## johnwill (Sep 26, 2002)

You can configure this user's network properties to eliminate any connectivity. If it's a limited user account, they will not be able to change that.


----------



## GoranM (Jul 31, 2007)

What can I say, John, simple and efficient. And what is worse, I actually did the similar thing for my nephew account, although I just removed DNS settings, so he cannot access internet. I could be forgiven for not remembering such a simple solution, since I am writing some software at the moment (programmer by occupation), and I don't know where my head is (deadlines, deadlines). But I cannot believe that some people on other forums that actually are network administrators by occupation could not remember this? 

Thanks.


----------



## johnwill (Sep 26, 2002)

Well, I miss some obvious ones at times too, so I won't say anything. :grin:


----------



## GoranM (Jul 31, 2007)

Actually, John, seems that IP address is computer specific, not user specific.  When I set IP for user with administrator priviledges, limited user also uses that IP address.

So, is there any way I can have IP user specific?


----------



## johnwill (Sep 26, 2002)

Here's a thread on that very topic, it's a little more complicated that I made it sound. :grin:

http://www.tomshardware.com/forum/137672-45-restrict-internet-access-administrator-account-only


----------



## GoranM (Jul 31, 2007)

That is only for internet access, I need to deny network access for limited user..


----------



## johnwill (Sep 26, 2002)

You can do that with Group Policies.


----------



## GoranM (Jul 31, 2007)

Can you explain how?


----------



## johnwill (Sep 26, 2002)

Actually, in looking, that is only a partial solution, you have to define policies by program. Here's a page that describes how to do it with IP Filtering. http://www.securityfocus.com/infocus/1559


----------



## Chevy (Jul 25, 2003)

Since you need to block a single user account, try this:

http://www.dougknox.com/xp/utils/xp_securityconsole.htm

For $10 (it's worth it) you can lock that account down as much as you'd like. The pay version makes it much easier (instead of adding the target account to the Admin group, then running this, you can run it from an approved admin level account and edit the target user from there).

Very nice - I used it to lock down pc's for public access at trade shows.


----------



## johnwill (Sep 26, 2002)

Nice utility Chevy, I hadn't seen that one before! :smile: I have a use for this one right here!


----------



## Chevy (Jul 25, 2003)

It's a good'un. I started using it to help parents lock down their "script-kiddie" kids.

Got some very dirty looks after the house call. :grin:


----------



## johnwill (Sep 26, 2002)

That's what I'm going to do with it as well. :grin:


----------



## GoranM (Jul 31, 2007)

johnwill, I will take a look at the link you have provided to see if it can solve my problem.

Chevy, I have bumped into this application while I was googling for my problem, but I don't see which part of it is connected with my problem? I can remove "network shortcuts" from start menu and desktop, but that doesn't prevent user from accessing share with \\computername\sharename.

Am I missing something here?


----------



## Chevy (Jul 25, 2003)

GoranM said:


> johnwill, I will take a look at the link you have provided to see if it can solve my problem.
> 
> Chevy, I have bumped into this application while I was googling for my problem, but I don't see which part of it is connected with my problem? I can remove "network shortcuts" from start menu and desktop, but that doesn't prevent user from accessing share with \\computername\sharename.
> 
> Am I missing something here?


Just take away access to the RUN command ... :grin:


----------



## GoranM (Jul 31, 2007)

Yes, and adress bar from MyComputer... How would I handle Total commander?


----------



## johnwill (Sep 26, 2002)

Put it on the restricted programs list.


----------



## GoranM (Jul 31, 2007)

This is not a right direction, I would end up locking the whole PC from user.  there are tones of explorers that can browse the network and I cant disallow them all. Is there some way I can disallow some application/process that is network specific?


----------



## krazyko (Nov 12, 2008)

Another thing you can use is Windows SteadyState.

http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

It's free for genuine Windows XP and Vista.


----------



## johnwill (Sep 26, 2002)

GoranM said:


> This is not a right direction, I would end up locking the whole PC from user.  there are tones of explorers that can browse the network and I cant disallow them all. Is there some way I can disallow some application/process that is network specific?


If you've prevented the user from installing programs... 

The real way to do this is to have a real server with a proxy server that can have detailed restrictions.


----------



## GoranM (Jul 31, 2007)

johnwill said:


> If you've prevented the user from installing programs...
> 
> The real way to do this is to have a real server with a proxy server that can have detailed restrictions.


Installing software is the least problem, since there is USB and optical drive, and many portable applications that have no need for registry use.

Seems to me that this is not possible, since I could not find answer anywhere?


----------



## johnwill (Sep 26, 2002)

Normally, that kind of thing would be controlled from the other end, which is how most companies do the trick.


----------

