Deny Internet Access and Allow Intranet Access

[arisecanfly]

Hello everyone,

WHat would be the best way to Deny Internet access and allow intranet access. I need to do this on just one machine, so i dont want to mess with the servers. I would just unplug his Cat cable, but he needs to browse the intranet for information. Any help would be appreciated...

[ss2chef]

Really depends on your network setup (topology).

On many networks you can remove the default gateway which usually hits the Internet.
You can also use ACL's on firewalls or routers to prevent this as well.

Can you post your topology for us to analyze?

[faith_in_death]

well...if you'r using a prxoxy...you can disable it in the registry.....dont remember the exact key..but u can use something like registrymecahnica..or somethi like taht...so it can only view local addresses.....

[arisecanfly]

This is the topology, i work for a large healthcare company. So we are spread out on a windows 2000 network, split off by about a 100 domains within the company. I tried already just taking off the gateway, but im not able to travel through the intranet. What we just realized is that the intranet address is somewhere up north(Northern cali) on a different domain, would this be one of the reasons why we just cant shut down the internet access? Because i also tried to check on "Lan Settings" and install a fake proxy server, to block off most access except for the Intranet. And we also are not able to mess with the ACL on a firewall or a router, because we do not have control and the person who does is away in a day long meeting! Humm i know i can just mess with the HOsts file, but thats gonna take me a while, and i dont really feel like messing with it. BUt like before thanks for all the HELP and thanks for reading...

[cacosapo]

go the the internet fw (or internet router) and add a rule to drop all packets that come from that station.... and its done.

[arisecanfly]

I was thinking of that, im gonna get one of my team members to try that out. Is there any way we can just do it straight from the client? So we wont mess with the servers, firewalls, or routers. I thought there might be a way to do it, but it does seem we will have to shut him off that way. It sucks we dont have an Active Directory, it would of made this a lot easier...

[Tedob1]

arisecanfly if its just for this one user and they wont allow you to break his fingers messing with the hosts file isnt such a bad idea. if you give him bogus dns servers and include in the hosts file just the addresses you want that computer to get to that would do the trick. how many servers does he need access too?

[arisecanfly]

He needs to access about 7 different Intranet Servers, And i think thats what i will have to do is just mess with hosts file. Ok i have to start looking for addresses right now. Thanks guys for everything, and if you guys think of other solutions im always surfing the posts....

[cacosapo]

hum you can create a route to internet (static one) to nowhere. when station try to contact proxy for example, he will be sent to void. and timeout. that you can do at station.
If station is windows xp, start it up and block proxy address.
or put in tcp/ip filter list.
but if user has admin priviledges, he can revert is easily....

[arisecanfly]

I just wanted to thank everyone for their replies and for their help. Results: We installed a Host file blocking off every possible Web portal we can think of, and we also got into his favoriites and blocked all of those. The funny thing is that 3 hours after we finished, they decided to "Consult and train" Him on how to cut down on his surfing! hahahah i guess thats the way the cookie IT crumbles. Again thanks a lot everyone...