My question is this: Is there a simple (or difficult) way to "lock" the controls for the Firewall Client so a user can't disable it?
1) When laptop users leave the building they need to be able to surf from Internet Cafes, Home network, and so on. , they must be forced to use ISA when "in the building". I'm running ISA2004 with Surfcontrol.
2)Employees and guests MUST be forced through ISA. For guests, we don't have a problem informing guests that they must configure their browser to use our ISA box.
I will accomplish this by either making the ISA the default gateway or by configuring the internet router ignore all traffic unless it comes from ISA.
1) I configured a GPO to force IE to use ISA and disallowed clearing of the checkbox in Tools | Internet Options | Connections | Lan Settings | Use a Proxy Server... This works for desktops that don't leave the building, but doesn't address the "Firefox issue"
2) This also failed because when the laptops left the building, they couldn't see the proxy server, and couldn't get to the internet. (woops, we learn by doing ) It also had no effect on users who have firefox, opera, and any other browser out there.