My question is this: Is there a simple (or difficult) way to "lock" the controls for the Firewall Client so a user can't disable it?
1) When laptop users leave the building they need to be able to surf from Internet Cafes, Home network, and so on. , they must be forced to use ISA when "in the building". I'm running ISA2004 with Surfcontrol.
2)Employees and guests MUST be forced through ISA. For guests, we don't have a problem informing guests that they must configure their browser to use our ISA box.
I will accomplish this by either making the ISA the default gateway or by configuring the internet router ignore all traffic unless it comes from ISA.
1) I configured a GPO to force IE to use ISA and disallowed clearing of the checkbox in Tools | Internet Options | Connections | Lan Settings | Use a Proxy Server... This works for desktops that don't leave the building, but doesn't address the "Firefox issue"
2) This also failed because when the laptops left the building, they couldn't see the proxy server, and couldn't get to the internet. (woops, we learn by doing ) It also had no effect on users who have firefox, opera, and any other browser out there.
if you only give outbound access to authenticated users than the users must be able to authenticate against the ISA server in the first place. That means that only Web Proxy and Firewall client requests will be allowed. SecureNAT client requests can never authenticate.
For corporate managed workstations, I like to configure the firewall client to automatically detect the ISA server and let the Firewall client configure IE with the configuration script if the ISA server is detected by the Firewall client. Else, the Firewall client will not touch the IE settings.