Guest Martrad Posted July 25, 2007 Posted July 25, 2007 Hi, We have a policy in place that populates the users proxy settings with the proxy server info and access to the internet is controlled by a proxy server using an "Internet Access" group. This works fine on the users desktops. When the users login to our terminal server the policy applies to their login and they are granted internet access on the terminal server. How can I stop them accessing the internet on the terminal server but still allow then access on their own PC?
Guest Jeff Pitsch Posted July 25, 2007 Posted July 25, 2007 Re: Prevent user internet access on terminal server Enable loopback processing (select replace) in a separate GPO and apply that gpo to the OU of the terminal servers. This will prevent the users gpo from applying to the terminal server. Jeff Pitsch Microsoft MVP - Terminal Server Citrix Technology Professional Provision Networks VIP Forums not enough? Get support from the experts at your business http://jeffpitschconsulting.com Martrad wrote: > Hi, > > We have a policy in place that populates the users proxy settings with the > proxy server info and access to the internet is controlled by a proxy server > using an "Internet Access" group. > > This works fine on the users desktops. > > When the users login to our terminal server the policy applies to their > login and they are granted internet access on the terminal server. > > How can I stop them accessing the internet on the terminal server but still > allow then access on their own PC?
Guest Vera Noest [MVP] Posted July 25, 2007 Posted July 25, 2007 Re: Prevent user internet access on terminal server That's a bit amazing, because if the proxy policy is applied to the users, and you don't use loopback processing on the TS, then the users should be equally restricted on the TS as the desktops, with your custom proxy. But read on: From: http://ts.veranoest.net/ts_faq_applications.htm#IE_prevent Q: How can I prevent my users from surfing the Internet in their TS sessions? A: If you want to prevent users from running Internet Explorer alltogether, you can use a Software Restriction Policy: Computer Configuration - Windows Settings - Security Settings - Software Restriction Policies - Additional Rules - New path rule Path: "%programfiles%\internet explorer\iexplore.exe" Security level: Disallowed For a detailed description, check this article: 324036 - How To Use Software Restriction Policies in Windows Server 2003 http://support.microsoft.com/?kbid=324036 Another way to achieve the same effect is to change the NTFS permissions on iexplore.exe. Both metods described above have the disadvantage that users cannot start IE at all, which will probably break other applications. And they won't be able to use your Intranet either. If you want to avoid these problems, but still disable surfing the Internet, you can set a proxy address pointing to your local Intranet webserver, or the localhost: User Configuration - Windows Settings - Internet Explorer Maintenance - Connection - Proxy Set this policy in a GPO which is applied to the OU which contains your Terminal Server, and be sure to also configure "loopback processing" of the policy: Computer Configuration - Administrative Templates - System - Group Policy "User Group Policy loopback processing mode" - "Replace" _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?TWFydHJhZA==?= <Martrad@discussions.microsoft.com> wrote on 25 jul 2007 in microsoft.public.windows.terminal_services: > Hi, > > We have a policy in place that populates the users proxy > settings with the proxy server info and access to the internet > is controlled by a proxy server using an "Internet Access" > group. > > This works fine on the users desktops. > > When the users login to our terminal server the policy applies > to their login and they are granted internet access on the > terminal server. > > How can I stop them accessing the internet on the terminal > server but still allow then access on their own PC?
Guest Martin Lockey Posted July 25, 2007 Posted July 25, 2007 Re: Prevent user internet access on terminal server Vera, Thanks for your reply.. The proxy policy sets the proxy server address in internet explorer so they "can" use the internet on their computers. We still want to allow them to do this but not allow them to use their sessions on the terminal server to browse the internet. Currently when they log onto the terminal server it applies the user policy which populates the proxy details and allows them to browse the internet on the Terminal Server. Obviously users browsing the internet on the server provides a great risk to the server/domain therefore we want to stop this but still allow the desktop use. "Vera Noest [MVP]" wrote: > That's a bit amazing, because if the proxy policy is applied to the > users, and you don't use loopback processing on the TS, then the > users should be equally restricted on the TS as the desktops, with > your custom proxy. But read on: > > From: > http://ts.veranoest.net/ts_faq_applications.htm#IE_prevent > > Q: How can I prevent my users from surfing the Internet in their TS > sessions? > > A: If you want to prevent users from running Internet Explorer > alltogether, you can use a Software Restriction Policy: > > Computer Configuration - Windows Settings - Security Settings > - Software Restriction Policies - Additional Rules - New path rule > Path: "%programfiles%\internet explorer\iexplore.exe" > Security level: Disallowed > > For a detailed description, check this article: > 324036 - How To Use Software Restriction Policies in Windows Server > 2003 > http://support.microsoft.com/?kbid=324036 > > Another way to achieve the same effect is to change the NTFS > permissions on iexplore.exe. > > Both metods described above have the disadvantage that users cannot > start IE at all, which will probably break other applications. And > they won't be able to use your Intranet either. > > If you want to avoid these problems, but still disable surfing the > Internet, you can set a proxy address pointing to your local Intranet > webserver, or the localhost: > > User Configuration - Windows Settings - Internet Explorer Maintenance > - Connection - Proxy > > Set this policy in a GPO which is applied to the OU which contains > your Terminal Server, and be sure to also configure "loopback > processing" of the policy: > > Computer Configuration - Administrative Templates - System - Group > Policy > "User Group Policy loopback processing mode" - "Replace" > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?TWFydHJhZA==?= <Martrad@discussions.microsoft.com> wrote > on 25 jul 2007 in microsoft.public.windows.terminal_services: > > > Hi, > > > > We have a policy in place that populates the users proxy > > settings with the proxy server info and access to the internet > > is controlled by a proxy server using an "Internet Access" > > group. > > > > This works fine on the users desktops. > > > > When the users login to our terminal server the policy applies > > to their login and they are granted internet access on the > > terminal server. > > > > How can I stop them accessing the internet on the terminal > > server but still allow then access on their own PC? >
Guest Vera Noest [MVP] Posted July 25, 2007 Posted July 25, 2007 Re: Prevent user internet access on terminal server OK, I've given 3 alternatives to achieve this, choose the one that best serves your needs. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?TWFydGluIExvY2tleQ==?= <MartinLockey@discussions.microsoft.com> wrote on 25 jul 2007 in microsoft.public.windows.terminal_services: > Vera, > > Thanks for your reply.. > > The proxy policy sets the proxy server address in internet > explorer so they "can" use the internet on their computers. > We still want to allow them to do this but not allow them to use > their sessions on the terminal server to browse the internet. > Currently when they log onto the terminal server it applies the > user policy which populates the proxy details and allows them to > browse the internet on the Terminal Server. Obviously users > browsing the internet on the server provides a great risk to the > server/domain therefore we want to stop this but still allow the > desktop use. > > > > "Vera Noest [MVP]" wrote: > >> That's a bit amazing, because if the proxy policy is applied to >> the users, and you don't use loopback processing on the TS, >> then the users should be equally restricted on the TS as the >> desktops, with your custom proxy. But read on: >> >> From: >> http://ts.veranoest.net/ts_faq_applications.htm#IE_prevent >> >> Q: How can I prevent my users from surfing the Internet in >> their TS sessions? >> >> A: If you want to prevent users from running Internet Explorer >> alltogether, you can use a Software Restriction Policy: >> >> Computer Configuration - Windows Settings - Security Settings >> - Software Restriction Policies - Additional Rules - New path >> rule Path: "%programfiles%\internet explorer\iexplore.exe" >> Security level: Disallowed >> >> For a detailed description, check this article: >> 324036 - How To Use Software Restriction Policies in Windows >> Server 2003 >> http://support.microsoft.com/?kbid=324036 >> >> Another way to achieve the same effect is to change the NTFS >> permissions on iexplore.exe. >> >> Both metods described above have the disadvantage that users >> cannot start IE at all, which will probably break other >> applications. And they won't be able to use your Intranet >> either. >> >> If you want to avoid these problems, but still disable surfing >> the Internet, you can set a proxy address pointing to your >> local Intranet webserver, or the localhost: >> >> User Configuration - Windows Settings - Internet Explorer >> Maintenance - Connection - Proxy >> >> Set this policy in a GPO which is applied to the OU which >> contains your Terminal Server, and be sure to also configure >> "loopback processing" of the policy: >> >> Computer Configuration - Administrative Templates - System - >> Group Policy >> "User Group Policy loopback processing mode" - "Replace" >> >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> =?Utf-8?B?TWFydHJhZA==?= <Martrad@discussions.microsoft.com> >> wrote on 25 jul 2007 in >> microsoft.public.windows.terminal_services: >> >> > Hi, >> > >> > We have a policy in place that populates the users proxy >> > settings with the proxy server info and access to the >> > internet is controlled by a proxy server using an "Internet >> > Access" group. >> > >> > This works fine on the users desktops. >> > >> > When the users login to our terminal server the policy >> > applies to their login and they are granted internet access >> > on the terminal server. >> > >> > How can I stop them accessing the internet on the terminal >> > server but still allow then access on their own PC?
Recommended Posts