Prevent user internet access on terminal server

[Guest Martrad]

Hi,

 

We have a policy in place that populates the users proxy settings with the

proxy server info and access to the internet is controlled by a proxy server

using an "Internet Access" group.

 

This works fine on the users desktops.

 

When the users login to our terminal server the policy applies to their

login and they are granted internet access on the terminal server.

 

How can I stop them accessing the internet on the terminal server but still

allow then access on their own PC?

[Guest Jeff Pitsch]

Re: Prevent user internet access on terminal server

 

Enable loopback processing (select replace) in a separate GPO and apply

that gpo to the OU of the terminal servers. This will prevent the users

gpo from applying to the terminal server.

 

Jeff Pitsch

Microsoft MVP - Terminal Server

Citrix Technology Professional

Provision Networks VIP

 

Forums not enough?

Get support from the experts at your business

http://jeffpitschconsulting.com

 

Martrad wrote:

> Hi,

>

> We have a policy in place that populates the users proxy settings with the

> proxy server info and access to the internet is controlled by a proxy server

> using an "Internet Access" group.

>

> This works fine on the users desktops.

>

> When the users login to our terminal server the policy applies to their

> login and they are granted internet access on the terminal server.

>

> How can I stop them accessing the internet on the terminal server but still

> allow then access on their own PC?

[Guest Vera Noest [MVP]]

Re: Prevent user internet access on terminal server

 

That's a bit amazing, because if the proxy policy is applied to the

users, and you don't use loopback processing on the TS, then the

users should be equally restricted on the TS as the desktops, with

your custom proxy. But read on:

 

From:

http://ts.veranoest.net/ts_faq_applications.htm#IE_prevent

 

Q: How can I prevent my users from surfing the Internet in their TS

sessions?

 

A: If you want to prevent users from running Internet Explorer

alltogether, you can use a Software Restriction Policy:

 

Computer Configuration - Windows Settings - Security Settings

- Software Restriction Policies - Additional Rules - New path rule

Path: "%programfiles%\internet explorer\iexplore.exe"

Security level: Disallowed

 

For a detailed description, check this article:

324036 - How To Use Software Restriction Policies in Windows Server

2003

http://support.microsoft.com/?kbid=324036

 

Another way to achieve the same effect is to change the NTFS

permissions on iexplore.exe.

 

Both metods described above have the disadvantage that users cannot

start IE at all, which will probably break other applications. And

they won't be able to use your Intranet either.

 

If you want to avoid these problems, but still disable surfing the

Internet, you can set a proxy address pointing to your local Intranet

webserver, or the localhost:

 

User Configuration - Windows Settings - Internet Explorer Maintenance

- Connection - Proxy

 

Set this policy in a GPO which is applied to the OU which contains

your Terminal Server, and be sure to also configure "loopback

processing" of the policy:

 

Computer Configuration - Administrative Templates - System - Group

Policy

"User Group Policy loopback processing mode" - "Replace"

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?TWFydHJhZA==?= <Martrad@discussions.microsoft.com> wrote

on 25 jul 2007 in microsoft.public.windows.terminal_services:

> Hi,

>

> We have a policy in place that populates the users proxy

> settings with the proxy server info and access to the internet

> is controlled by a proxy server using an "Internet Access"

> group.

>

> This works fine on the users desktops.

>

> When the users login to our terminal server the policy applies

> to their login and they are granted internet access on the

> terminal server.

>

> How can I stop them accessing the internet on the terminal

> server but still allow then access on their own PC?

[Guest Martin Lockey]

Re: Prevent user internet access on terminal server

 

Vera,

 

Thanks for your reply..

 

The proxy policy sets the proxy server address in internet explorer so they

"can" use the internet on their computers.

We still want to allow them to do this but not allow them to use their

sessions on the terminal server to browse the internet.

Currently when they log onto the terminal server it applies the user policy

which populates the proxy details and allows them to browse the internet on

the Terminal Server. Obviously users browsing the internet on the server

provides a great risk to the server/domain therefore we want to stop this but

still allow the desktop use.

 

 

 

"Vera Noest [MVP]" wrote:

> That's a bit amazing, because if the proxy policy is applied to the

> users, and you don't use loopback processing on the TS, then the

> users should be equally restricted on the TS as the desktops, with

> your custom proxy. But read on:

>

> From:

> http://ts.veranoest.net/ts_faq_applications.htm#IE_prevent

>

> Q: How can I prevent my users from surfing the Internet in their TS

> sessions?

>

> A: If you want to prevent users from running Internet Explorer

> alltogether, you can use a Software Restriction Policy:

>

> Computer Configuration - Windows Settings - Security Settings

> - Software Restriction Policies - Additional Rules - New path rule

> Path: "%programfiles%\internet explorer\iexplore.exe"

> Security level: Disallowed

>

> For a detailed description, check this article:

> 324036 - How To Use Software Restriction Policies in Windows Server

> 2003

> http://support.microsoft.com/?kbid=324036

>

> Another way to achieve the same effect is to change the NTFS

> permissions on iexplore.exe.

>

> Both metods described above have the disadvantage that users cannot

> start IE at all, which will probably break other applications. And

> they won't be able to use your Intranet either.

>

> If you want to avoid these problems, but still disable surfing the

> Internet, you can set a proxy address pointing to your local Intranet

> webserver, or the localhost:

>

> User Configuration - Windows Settings - Internet Explorer Maintenance

> - Connection - Proxy

>

> Set this policy in a GPO which is applied to the OU which contains

> your Terminal Server, and be sure to also configure "loopback

> processing" of the policy:

>

> Computer Configuration - Administrative Templates - System - Group

> Policy

> "User Group Policy loopback processing mode" - "Replace"

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?TWFydHJhZA==?= <Martrad@discussions.microsoft.com> wrote

> on 25 jul 2007 in microsoft.public.windows.terminal_services:

>

> > Hi,

> >

> > We have a policy in place that populates the users proxy

> > settings with the proxy server info and access to the internet

> > is controlled by a proxy server using an "Internet Access"

> > group.

> >

> > This works fine on the users desktops.

> >

> > When the users login to our terminal server the policy applies

> > to their login and they are granted internet access on the

> > terminal server.

> >

> > How can I stop them accessing the internet on the terminal

> > server but still allow then access on their own PC?

>

[Guest Vera Noest [MVP]]

Re: Prevent user internet access on terminal server

 

OK, I've given 3 alternatives to achieve this, choose the one that

best serves your needs.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?TWFydGluIExvY2tleQ==?=

<MartinLockey@discussions.microsoft.com> wrote on 25 jul 2007 in

microsoft.public.windows.terminal_services:

> Vera,

>

> Thanks for your reply..

>

> The proxy policy sets the proxy server address in internet

> explorer so they "can" use the internet on their computers.

> We still want to allow them to do this but not allow them to use

> their sessions on the terminal server to browse the internet.

> Currently when they log onto the terminal server it applies the

> user policy which populates the proxy details and allows them to

> browse the internet on the Terminal Server. Obviously users

> browsing the internet on the server provides a great risk to the

> server/domain therefore we want to stop this but still allow the

> desktop use.

>

>

>

> "Vera Noest [MVP]" wrote:

>

>> That's a bit amazing, because if the proxy policy is applied to

>> the users, and you don't use loopback processing on the TS,

>> then the users should be equally restricted on the TS as the

>> desktops, with your custom proxy. But read on:

>>

>> From:

>> http://ts.veranoest.net/ts_faq_applications.htm#IE_prevent

>>

>> Q: How can I prevent my users from surfing the Internet in

>> their TS sessions?

>>

>> A: If you want to prevent users from running Internet Explorer

>> alltogether, you can use a Software Restriction Policy:

>>

>> Computer Configuration - Windows Settings - Security Settings

>> - Software Restriction Policies - Additional Rules - New path

>> rule Path: "%programfiles%\internet explorer\iexplore.exe"

>> Security level: Disallowed

>>

>> For a detailed description, check this article:

>> 324036 - How To Use Software Restriction Policies in Windows

>> Server 2003

>> http://support.microsoft.com/?kbid=324036

>>

>> Another way to achieve the same effect is to change the NTFS

>> permissions on iexplore.exe.

>>

>> Both metods described above have the disadvantage that users

>> cannot start IE at all, which will probably break other

>> applications. And they won't be able to use your Intranet

>> either.

>>

>> If you want to avoid these problems, but still disable surfing

>> the Internet, you can set a proxy address pointing to your

>> local Intranet webserver, or the localhost:

>>

>> User Configuration - Windows Settings - Internet Explorer

>> Maintenance - Connection - Proxy

>>

>> Set this policy in a GPO which is applied to the OU which

>> contains your Terminal Server, and be sure to also configure

>> "loopback processing" of the policy:

>>

>> Computer Configuration - Administrative Templates - System -

>> Group Policy

>> "User Group Policy loopback processing mode" - "Replace"

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?TWFydHJhZA==?= <Martrad@discussions.microsoft.com>

>> wrote on 25 jul 2007 in

>> microsoft.public.windows.terminal_services:

>>

>> > Hi,

>> >

>> > We have a policy in place that populates the users proxy

>> > settings with the proxy server info and access to the

>> > internet is controlled by a proxy server using an "Internet

>> > Access" group.

>> >

>> > This works fine on the users desktops.

>> >

>> > When the users login to our terminal server the policy

>> > applies to their login and they are granted internet access

>> > on the terminal server.

>> >

>> > How can I stop them accessing the internet on the terminal

>> > server but still allow then access on their own PC?