# local security policy to disable internet access in win2k pro



## tranqulized (Apr 7, 2005)

How would I go about setting up a local security policy in windows 2000 pro that would disable internet access to non-administrators but still allow file sharing? This computer is not part of a domain.


----------



## Squashman (Apr 14, 2005)

I dont think you can do it with a local Policy. Your best bet would be to change the gateway address in the TCP/IP settings but that would require you to manually set static IP addresses on all of your machines.

You have to remeber that local policies apply to all users on the system. You can't really delegate policies locally to different groups. Microsoft has tried to remedy this by creating a new tool.

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

Doug Knox also created his XP Security Console.
http://www.dougknox.com/


----------



## tranqulized (Apr 7, 2005)

well I figured it out... I just set file and folder permissions so non-administrators couldn't read/wite to the internet explorer directory or the fire fox directory. just got rid of the everyone group from those folders...


----------



## Squashman (Apr 14, 2005)

What happens when they bring in a Portable Web Browser that doesn't need to be installed. Something they can run off of a cd, usb drive or floppy disk.


----------



## tranqulized (Apr 7, 2005)

These people aren't that smart.... I doubt any of them know what a flash drive is let alone know how to burn a cd... They have a hard enough time trying to double click an icon...
The problem I can't seem to over come though is that what if they figure out you can type web url's into my computer or windows explorer or even microsoft word.... hopefully they are too dumb to figure those out.
I can't just disable internet access to that computer through the router either... the computer needs to get anti-virus updates, and windows updates... but those only seem to work in the admin account, so thats not really the issue.
Do you have any other suggestions to further stop them from getting on the internet?


----------



## DarX1de (Dec 2, 2005)

try gpedit.msc from the run prompt


----------



## Resolution (Sep 17, 2005)

DarX1de said:


> try gpedit.msc from the run prompt


And then what?


----------



## Squashman (Apr 14, 2005)

This may work for you.

Open IE > Tools > Internet Options > Connection Settings > LAN Settings. 

Check Proxy Server > Enter localhost for the address > click advanced. 

Check the box for "Use same proxy server for all protocols". 

Next under exceptions just list the sites you want them to have access too separated by a semi-colon. 

*.forums.techguy.org;*.google.com

Now you will have to also set a local policy to keep them from seeing the connections tab in Internet Explorer or you can probably set a registry setting as well.


----------

