System Admin: Need help with Logon Scripts, Group Policy Etc...

[Moby-Dick]

is your activedirectory 200 or 2003 ?

if it is 2003 , then look up software restriction policies

The only problem with restricting access to IE is that it might well affect other parts of windows.

you'd be better of to restrict IE to only be able to connect to trusted sites , then use that trusted site list to maintain a whitelist of sites , which may well just be the company main site , or intranet.

[Vini]

its 2003. the whitelist sounds like a good idea. excellent.

thanks for your help MD!

[Vini]

you'd be better of to restrict IE to only be able to connect to trusted sites , then use that trusted site list to maintain a whitelist of sites , which may well just be the company main site , or intranet.

thought it would be simple, however upon investigation doesnt appear to be so.

where do these features/options sit in ad2003?

[Moby-Dick]

http://www.computerperformance.co.uk...r.htm#Security

[Vini]

read through that and got a white list running but IE still seems to happily browse to all sites.

that aside, can i run batch files as logon scripts?

[Nox]

uninstall?

or, if you follow this:

create a group on the client machine, call it CLIENT-IE or something
add this group to c:\program files\internet explorer and remove all non-admin rights. This should be applied to all sub-dirs too.

great, now the only people who can use IE are people with local admin rights, or in this group. want easy admin of this group?

create a domain group called DOM-IE, and add this into the CLIENT-IE group on the local machine. Now anyone in the DOM-IE group can use IE when they log on.

you should be able to do this for anything, but will require a bit of experimenting. You may run into a few probs, but as long as the system has access to that dir you should be fine.

oh, and that will work without this active dir malarky

Nox

[Nox]

Can you not block the sites on your proxy server ?

Nox

[rickyboy]

uninstall?

or, if you follow this:

create a group on the client machine, call it CLIENT-IE or something
add this group to c:\program files\internet explorer and remove all non-admin rights. This should be applied to all sub-dirs too.

great, now the only people who can use IE are people with local admin rights, or in this group. want easy admin of this group?

create a domain group called DOM-IE, and add this into the CLIENT-IE group on the local machine. Now anyone in the DOM-IE group can use IE when they log on.

you should be able to do this for anything, but will require a bit of experimenting. You may run into a few probs, but as long as the system has access to that dir you should be fine.

oh, and that will work without this active dir malarky

Nox

What is to stop people typing a URL into the Windows Explorer address bar?

Blocking all but your site (or a site which says 'You do not have Internet access') is the best way to go if you want to block IE.

[Moby-Dick]

hence needing somethign like dansguardian or websence

[badass]

Firewall+proxy settings defined by a GPO for people that are allowed access to the internet.
block outgoing communication from the firewall apart from servers and then only allow for the services they run. Then use a proxy server for internet access for admins, with the proxy settings defined through group policy

[Vini]

Config User / Admin template / System / Prevent users from using specific progrms

disable access to iexplore.exe has worked fine..

now im after a way to tidy up the start menu, showing only programs of my choice.

[Nox]

What is to stop people typing a URL into the Windows Explorer address bar?

Windows NT here mate

Vini did you check that you can't access websites from windows explorer?

proxy server is the best way to go... by far.

Nox

[Vini]

cant access by:

iexplore.exe
windows explorer/my computer
opening an application which "links to their homepage"
windows update button
any interactive cd which runs IE.

[Moby-Dick]

so having a 2nd browser on a USB stick would get round that

such as...

http://johnhaller.com/jh/mozilla/portable_firefox/


hence why your next mission is to ban USB drives & ipods - or prevent them from connecting to the network.

just think how easy it woudl be from someone to plug a usb HD in an remove data from the network.

or worse still , a trusted employee taking info home to work on ( eg sensetive stuff )
but his usb HD get nicked on the way home.

the same HD that contains confidential , yet unencrpyted data.

its a nightmare just waiting to happen

[Vini]

nah, these machines are locked down enough for that not to be an issue, if they really do want to access the web its fine we dont have any *STRICT* rules, however this will put most off trying to access...