• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Block single user from Internet ISA 2004

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Block single user from Internet ISA 2004 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Block single user from Internet ISA 2004 - 20.Dec.2010 9:33:55 AM   
sharpear

 

Posts: 1
Joined: 20.Dec.2010
Status: offline
Hi,

I am new to ISA Management and currently working with a 2004 Version. I am not sure if this this located in the correct location as I didn't get to choose where to load this thread.

Currently I have a user who spends more time on the internet surfing unrelated to work. This user should not even be accessing the internet. I am looking for a way to block this single users from opening IE or any other Web browser and sending out a request for website content. I have tried a GPO "Deny Internet Access", but it does not seem to block the user from Accessing the Internet. I know he knows how to turn off the Proxy Server, but the GPO is only set to re-enable the proxy every time a logon or off is required. There are times I manually disable his sessions from ISA, which is why he goes into the Proxy settings and removes it from the list, when it gives the error connections denied. This user has finally hit #1 on the Top Web Users and I now want to revoke all his Internet access.


I thought of just removing the explorer from the computer, but it's easily added back on if the users know what they are doing and does not require the Windows XP cd, as I have tested this with 2 friends from home. Any advice on how to set up blocking a single user would be helpful.



Some Things to Mention

Domain is set up DHCP. Most PCs stay with the same IPs, but does not mean at any point they can be changed. (I doubt he will take this route to get around, but also worry about blocking another user if the list is updated and changed).

FireWall is set to, allow all outgoing from all authenticated users (no names in this list), Under Exceptions it has Block Internet Users (with my GPO and his Username in this Block Internet Users section). Then 2nd rule is deny all. Not sure if it works currently an update I made over the weekend.

Would it be simpiler to create another rule above the Allow all Outgoing to block all request for this single user? Will he still have the ability to print to the network printers, as his only task is removing staples and printing header pages. And will he be able to disable the Proxy Wall still to get Internet access.


Thanks in Advance and please keep the explination as simplified as possible, or very detailed so I can do some exploring through ISA controls to find what you are referring to.
Post #: 1
RE: Block single user from Internet ISA 2004 - 20.Dec.2010 11:26:24 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,
quote:

FireWall is set to, allow all outgoing from all authenticated users (no names in this list), Under Exceptions it has Block Internet Users (with my GPO and his Username in this Block Internet Users section).

I guess you donŽt need "All open" access rule. Allow only the protocols needed. His user name is in the list and not getting blocked?
quote:

Domain is set up DHCP. Most PCs stay with the same IPs, but does not mean at any point they can be changed. (I doubt he will take this route to get around, but also worry about blocking another user if the list is updated and changed).

You can also make a reservation on DHCP server, so his machine youŽll always get the same IP. But, he seems to have some knowledge on how to change IP address. Nevertheless, it will not work also.

The real problem is not how to block him on ISA firewall, because there is always a way to bypass firewalls (in general). You must also take some administrative action. Take these reports you have and show it to his boss.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to sharpear)
Post #: 2
RE: Block single user from Internet ISA 2004 - 9.May2011 7:25:46 AM   
reasonableman

 

Posts: 7
Joined: 29.Jun.2007
Status: offline
you can create a rule to deny to access to internet for a single user. Just try this

New Access Rule --> Action to take Deny
-->All Outbound Traffic --> Internal(here you can also specify his computername) --> External --> Under the user sets click Add---> Click New (Wizard will start)--> Type the AD name of the user under Add--->Windows users and groups-->next and finish--> clcik the username and click ADD-->Close-->Next-->Finish


Moreover you can also disable users from chaning the IE Proxy settings through Group Policy.




(in reply to paulo.oliveira)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Block single user from Internet ISA 2004 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts