Windows NT Prevent user internet access on terminal server

[Martrad]

Hi,

We have a policy in place that populates the users proxy settings with the
proxy server info and access to the internet is controlled by a proxy server
using an "Internet Access" group.

This works fine on the users desktops.

When the users login to our terminal server the policy applies to their
login and they are granted internet access on the terminal server.

How can I stop them accessing the internet on the terminal server but still
allow then access on their own PC?

 

[Jeff Pitsch]

Enable loopback processing (select replace) in a separate GPO and apply
that gpo to the OU of the terminal servers. This will prevent the users
gpo from applying to the terminal server.

Jeff Pitsch
Microsoft MVP - Terminal Server
Citrix Technology Professional
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com

Martrad wrote:
> Hi,
>
> We have a policy in place that populates the users proxy settings with the
> proxy server info and access to the internet is controlled by a proxy server
> using an "Internet Access" group.
>
> This works fine on the users desktops.
>
> When the users login to our terminal server the policy applies to their
> login and they are granted internet access on the terminal server.
>
> How can I stop them accessing the internet on the terminal server but still
> allow then access on their own PC?

 

[Vera Noest [MVP]]

That's a bit amazing, because if the proxy policy is applied to the
users, and you don't use loopback processing on the TS, then the
users should be equally restricted on the TS as the desktops, with
your custom proxy. But read on:

From:
http://ts.veranoest.net/ts_faq_applications.htm#IE_prevent

Q: How can I prevent my users from surfing the Internet in their TS
sessions?

A: If you want to prevent users from running Internet Explorer
alltogether, you can use a Software Restriction Policy:

Computer Configuration - Windows Settings - Security Settings
- Software Restriction Policies - Additional Rules - New path rule
Path: "%programfiles%\internet explorer\iexplore.exe"
Security level: Disallowed

For a detailed description, check this article:
324036 - How To Use Software Restriction Policies in Windows Server
2003
http://support.microsoft.com/?kbid=324036

Another way to achieve the same effect is to change the NTFS
permissions on iexplore.exe.

Both metods described above have the disadvantage that users cannot
start IE at all, which will probably break other applications. And
they won't be able to use your Intranet either.

If you want to avoid these problems, but still disable surfing the
Internet, you can set a proxy address pointing to your local Intranet
webserver, or the localhost:

User Configuration - Windows Settings - Internet Explorer Maintenance
- Connection - Proxy

Set this policy in a GPO which is applied to the OU which contains
your Terminal Server, and be sure to also configure "loopback
processing" of the policy:

Computer Configuration - Administrative Templates - System - Group
Policy
"User Group Policy loopback processing mode" - "Replace"

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?TWFydHJhZA==?= <Martrad@discussions.microsoft.com> wrote
on 25 jul 2007 in microsoft.public.windows.terminal_services:

> Hi,
>
> We have a policy in place that populates the users proxy
> settings with the proxy server info and access to the internet
> is controlled by a proxy server using an "Internet Access"
> group.
>
> This works fine on the users desktops.
>
> When the users login to our terminal server the policy applies
> to their login and they are granted internet access on the
> terminal server.
>
> How can I stop them accessing the internet on the terminal
> server but still allow then access on their own PC?

 

[Martin Lockey]

Vera,

Thanks for your reply..

The proxy policy sets the proxy server address in internet explorer so they
"can" use the internet on their computers.
We still want to allow them to do this but not allow them to use their
sessions on the terminal server to browse the internet.
Currently when they log onto the terminal server it applies the user policy
which populates the proxy details and allows them to browse the internet on
the Terminal Server. Obviously users browsing the internet on the server
provides a great risk to the server/domain therefore we want to stop this but
still allow the desktop use.



"Vera Noest [MVP]" wrote:

> That's a bit amazing, because if the proxy policy is applied to the
> users, and you don't use loopback processing on the TS, then the
> users should be equally restricted on the TS as the desktops, with
> your custom proxy. But read on:
>
> From:
> http://ts.veranoest.net/ts_faq_applications.htm#IE_prevent
>
> Q: How can I prevent my users from surfing the Internet in their TS
> sessions?
>
> A: If you want to prevent users from running Internet Explorer
> alltogether, you can use a Software Restriction Policy:
>
> Computer Configuration - Windows Settings - Security Settings
> - Software Restriction Policies - Additional Rules - New path rule
> Path: "%programfiles%\internet explorer\iexplore.exe"
> Security level: Disallowed
>
> For a detailed description, check this article:
> 324036 - How To Use Software Restriction Policies in Windows Server
> 2003
> http://support.microsoft.com/?kbid=324036
>
> Another way to achieve the same effect is to change the NTFS
> permissions on iexplore.exe.
>
> Both metods described above have the disadvantage that users cannot
> start IE at all, which will probably break other applications. And
> they won't be able to use your Intranet either.
>
> If you want to avoid these problems, but still disable surfing the
> Internet, you can set a proxy address pointing to your local Intranet
> webserver, or the localhost:
>
> User Configuration - Windows Settings - Internet Explorer Maintenance
> - Connection - Proxy
>
> Set this policy in a GPO which is applied to the OU which contains
> your Terminal Server, and be sure to also configure "loopback
> processing" of the policy:
>
> Computer Configuration - Administrative Templates - System - Group
> Policy
> "User Group Policy loopback processing mode" - "Replace"
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?TWFydHJhZA==?= <Martrad@discussions.microsoft.com> wrote
> on 25 jul 2007 in microsoft.public.windows.terminal_services:
>
> > Hi,
> >
> > We have a policy in place that populates the users proxy
> > settings with the proxy server info and access to the internet
> > is controlled by a proxy server using an "Internet Access"
> > group.
> >
> > This works fine on the users desktops.
> >
> > When the users login to our terminal server the policy applies
> > to their login and they are granted internet access on the
> > terminal server.
> >
> > How can I stop them accessing the internet on the terminal
> > server but still allow then access on their own PC?
>

 

[Vera Noest [MVP]]

OK, I've given 3 alternatives to achieve this, choose the one that
best serves your needs.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?TWFydGluIExvY2tleQ==?=
<MartinLockey@discussions.microsoft.com> wrote on 25 jul 2007 in
microsoft.public.windows.terminal_services:

> Vera,
>
> Thanks for your reply..
>
> The proxy policy sets the proxy server address in internet
> explorer so they "can" use the internet on their computers.
> We still want to allow them to do this but not allow them to use
> their sessions on the terminal server to browse the internet.
> Currently when they log onto the terminal server it applies the
> user policy which populates the proxy details and allows them to
> browse the internet on the Terminal Server. Obviously users
> browsing the internet on the server provides a great risk to the
> server/domain therefore we want to stop this but still allow the
> desktop use.
>
>
>
> "Vera Noest [MVP]" wrote:
>
>> That's a bit amazing, because if the proxy policy is applied to
>> the users, and you don't use loopback processing on the TS,
>> then the users should be equally restricted on the TS as the
>> desktops, with your custom proxy. But read on:
>>
>> From:
>> http://ts.veranoest.net/ts_faq_applications.htm#IE_prevent
>>
>> Q: How can I prevent my users from surfing the Internet in
>> their TS sessions?
>>
>> A: If you want to prevent users from running Internet Explorer
>> alltogether, you can use a Software Restriction Policy:
>>
>> Computer Configuration - Windows Settings - Security Settings
>> - Software Restriction Policies - Additional Rules - New path
>> rule Path: "%programfiles%\internet explorer\iexplore.exe"
>> Security level: Disallowed
>>
>> For a detailed description, check this article:
>> 324036 - How To Use Software Restriction Policies in Windows
>> Server 2003
>> http://support.microsoft.com/?kbid=324036
>>
>> Another way to achieve the same effect is to change the NTFS
>> permissions on iexplore.exe.
>>
>> Both metods described above have the disadvantage that users
>> cannot start IE at all, which will probably break other
>> applications. And they won't be able to use your Intranet
>> either.
>>
>> If you want to avoid these problems, but still disable surfing
>> the Internet, you can set a proxy address pointing to your
>> local Intranet webserver, or the localhost:
>>
>> User Configuration - Windows Settings - Internet Explorer
>> Maintenance - Connection - Proxy
>>
>> Set this policy in a GPO which is applied to the OU which
>> contains your Terminal Server, and be sure to also configure
>> "loopback processing" of the policy:
>>
>> Computer Configuration - Administrative Templates - System -
>> Group Policy
>> "User Group Policy loopback processing mode" - "Replace"
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?TWFydHJhZA==?= <Martrad@discussions.microsoft.com>
>> wrote on 25 jul 2007 in
>> microsoft.public.windows.terminal_services:
>>
>> > Hi,
>> >
>> > We have a policy in place that populates the users proxy
>> > settings with the proxy server info and access to the
>> > internet is controlled by a proxy server using an "Internet
>> > Access" group.
>> >
>> > This works fine on the users desktops.
>> >
>> > When the users login to our terminal server the policy
>> > applies to their login and they are granted internet access
>> > on the terminal server.
>> >
>> > How can I stop them accessing the internet on the terminal
>> > server but still allow then access on their own PC?