That's a bit amazing, because if the proxy policy is applied to the
users, and you don't use loopback processing on the TS, then the
users should be equally restricted on the TS as the desktops, with
your custom proxy. But read on:
From:
http://ts.veranoest.net/ts_faq_applications.htm#IE_prevent
Q: How can I prevent my users from surfing the Internet in their TS
sessions?
A: If you want to prevent users from running Internet Explorer
alltogether, you can use a Software Restriction Policy:
Computer Configuration - Windows Settings - Security Settings
- Software Restriction Policies - Additional Rules - New path rule
Path: "%programfiles%\internet explorer\iexplore.exe"
Security level: Disallowed
For a detailed description, check this article:
324036 - How To Use Software Restriction Policies in Windows Server
2003
http://support.microsoft.com/?kbid=324036
Another way to achieve the same effect is to change the NTFS
permissions on iexplore.exe.
Both metods described above have the disadvantage that users cannot
start IE at all, which will probably break other applications. And
they won't be able to use your Intranet either.
If you want to avoid these problems, but still disable surfing the
Internet, you can set a proxy address pointing to your local Intranet
webserver, or the localhost:
User Configuration - Windows Settings - Internet Explorer Maintenance
- Connection - Proxy
Set this policy in a GPO which is applied to the OU which contains
your Terminal Server, and be sure to also configure "loopback
processing" of the policy:
Computer Configuration - Administrative Templates - System - Group
Policy
"User Group Policy loopback processing mode" - "Replace"
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?TWFydHJhZA==?= <Martrad@discussions.microsoft.com> wrote
on 25 jul 2007 in microsoft.public.windows.terminal_services:
> Hi,
>
> We have a policy in place that populates the users proxy
> settings with the proxy server info and access to the internet
> is controlled by a proxy server using an "Internet Access"
> group.
>
> This works fine on the users desktops.
>
> When the users login to our terminal server the policy applies
> to their login and they are granted internet access on the
> terminal server.
>
> How can I stop them accessing the internet on the terminal
> server but still allow then access on their own PC?