There are 2 easy ways to do this by GPO. The 1st is User Configuration >
Windows Settings > Internet Explorer Maintenance > Connections > Proxy
Settings. Check the Enable Proxy Settings box, for the proxy server
address choose 10.0.0.1 Check Use same proxy server for all addresses
and un-check Do Not Use Proxy Server for intranet addresses. I use this
for several classes of users and it works well. The advantage of doing
it in this manner is that in the event you need to add sites to allow
these users to go to you can add them to the exception list.
The second way is do dis-allow iexplore.exe via GPO. That policy is
located in User Configuration > Administrative Templates > System >
Don't run specified Windows applications. Then you would enable that
policy and add iexplore.exe.
There are also 3rd party applications like app-sense that you can use as
well but I think the GPO method will work for you.
Charlie
Just to clarify - I wasn't thinking of ntfs permission, but by using the GPO to block access to iexplore.exe: I should have said realy.
.pac file would be the best way - just remember the ctx article re: pac files referenced with the file:// format - http://support.citrix.com/article/CTX102407&searchID=30002963
-----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeremy Saunders Sent: 21 September 2006 12:12 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Registry Key to deny internet access
Hi David,
You need to setup a proxy.pac file and leave IE set to "Automatic Detect Settings". You also lock down the Connections tab so that no one has access to it. The proxy.pac can control exactly what you want. It's the perfect control mechanism. When someone tries to access the Internet, it can send them to a "bogus" proxy server that is actually an IIS web site that will display a page saying that "This workstation cannot access the Internet", although you can still access all Intranet sites. I've just implemented this for a client and am most of the way through writing a whitepaper on this, as there is little information out there on how to do it correctly. Can you wait a couple more days and I'll send it to you?
Cheers.
Kind regards, Jeremy Saunders Senior Technical Specialist Infrastructure Technology Services (ITS) & Cerulean Global Technology Services (GTS) IBM Australia Level 2, 1060 Hay Street West Perth WA 6005 Visit us at http://www.ibm.com/services/au/its P: +61 8 9261 8412 F: +61 8 9261 8486 M: TBA E-mail: jeremy.saunders@xxxxxxxxxxx
David <dmauri@xxxxxxxxx > To Sent by: thin@xxxxxxxxxxxxx thin-bounce@freel cc ists.org Subject [THIN] Re: Registry Key to deny 21/09/2006 06:59 internet access PM Please respond to thin@xxxxxxxxxxxx g
Andrew Wood escribió:
You could either disable access to iexplore; or set the proxy to a value that doesn't exist - then disallow the user from changing the value.
Yes, I did it. But, some applications (our intranet) use Iexplore.exe....so the NTFS permissions is not the best solution. I would like to find this registry key and set the 'false' value in it.... I have found this key: HKusers\....sid.....\Software\Microsoft\Windows\Currentversion\internet setting and the value: Defaultconnectionsettings: Type Reg_binary
but I don't what is the value to change. If it's possible,of course.
************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************
************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
