#35924 - 2003-02-02 09:38 AM
deny internet acces by group
|
gf
Fresh Scripter
Registered: 2001-07-08
Posts: 29
|
Hi i am administrating 25 clients with win 98 in a win 2000 server. Is it posible to deny internet acces for a group for eksampel: pupils? regards glennf
|
Top
|
|
|
|
#35927 - 2003-02-03 08:47 AM
Re: deny internet acces by group
|
jpeachman
Fresh Scripter
Registered: 2002-11-18
Posts: 39
|
It can be done using KiXtart--I'm doing exactly that at a public school. If your browser is Internet Explorer, you don't actually have to use a proxy server, but this method does require you to create a registry entry for a "phantom" proxy server: code:
WriteValue("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings","ProxyServer", "ftp=0.0.0.0:80;gopher=0.0.0.0:80;http=0.0.0.0:80;https=0.0.0.0:80","REG_SZ")
With this entry in place (which only has to be done once per user account), the following code can be used to turn access on and off:code:
IF $internet="Y" WriteValue("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings","ProxyEnable","0","REG_DWORD") WriteValue("HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel","Proxy","0","REG_DWORD") ELSE WriteValue("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings","ProxyEnable","1","REG_DWORD") WriteValue("HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel","Proxy","1","REG_DWORD") ENDIF
You can set the value of $internet according to whatever criteria you wish, including group membership. You can also get fancier by turning on or off the IE icon on the desktop, and hiding or showing it in the start menu and quicklaunch bar.
One caveat: on your Windows 98 clients, the HKCU hive (where these entries need to be made) isn't loaded yet when the normal login script is processed. I handle that by including all the HKCU entries for Win9x clients in a second script (called logon9x.kix), and create a RunOnce entry invoking it in my primary login script:code:
WriteValue("HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce","Logon9x", "kix32.exe \\servername\netlogon\LOGON9x","REG_SZ")
Hope this helps!
Joe
|
Top
|
|
|
|
#35928 - 2003-02-03 02:37 PM
Re: deny internet acces by group
|
gf
Fresh Scripter
Registered: 2001-07-08
Posts: 29
|
thanks
This is the kind of code i was looking for.
Anyone knows it can be done with a proxyserver
|
Top
|
|
|
|
#35929 - 2003-02-03 03:40 PM
Re: deny internet acces by group
|
Stephen Wintle
Seasoned Scripter
Registered: 2001-04-10
Posts: 444
Loc: England
|
hello I use the following to good effect code:
;---------------------------------------Removes internet access PER GROUP ----------------------------
;disable proxy If InGroup("YR6") $rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings") Shell "regedit /s c:\WINDOWS\disanet.reg" EndIf
;disable proxy If InGroup("YR8") $rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings") Shell "regedit /s c:\WINDOWS\disanet.reg" EndIf
;disable proxy If InGroup("YR9") $rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings") Shell "regedit /s c:\WINDOWS\enanet.reg" EndIf
;disable proxy If InGroup("YR10") $rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings") Shell "regedit /s c:\WINDOWS\disanet.reg" EndIf
;disable proxy If InGroup("YR11") $rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings") Shell "regedit /s c:\WINDOWS\disanet.reg" EndIf
;---------------------------------------Removes internet access PER USER ----------------------------
;disable proxy If @USERID="9368KASHIF" $rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings") Shell "regedit /s c:\WINDOWS\disanet.reg" EndIf
;disable proxy If @USERID="9286NAVEED" $rmv = DelKey("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings") Shell "regedit /s c:\WINDOWS\disanet.reg" EndIf
Regards
Steve Wintle
_________________________
Dont worry because a rival imitates you. As long as they follow in your tracks they cant pass you!
|
Top
|
|
|
|
#35930 - 2003-02-03 03:43 PM
Re: deny internet acces by group
|
Stephen Wintle
Seasoned Scripter
Registered: 2001-04-10
Posts: 444
Loc: England
|
I guess Id better tell you that disanet and enanet both toggle the proxyserver setting per user and i have copied each reg setting to the clients..
Steve
_________________________
Dont worry because a rival imitates you. As long as they follow in your tracks they cant pass you!
|
Top
|
|
|
|
#35932 - 2003-02-03 05:29 PM
Re: deny internet acces by group
|
Stephen Wintle
Seasoned Scripter
Registered: 2001-04-10
Posts: 444
Loc: England
|
IEAK....
Steve
_________________________
Dont worry because a rival imitates you. As long as they follow in your tracks they cant pass you!
|
Top
|
|
|
|
#35935 - 2003-02-03 10:23 PM
Re: deny internet acces by group
|
jpeachman
Fresh Scripter
Registered: 2002-11-18
Posts: 39
|
I don't disagree that running a REAL proxy server is more ironclad, but....
In real life, 99%+ of the students at my school don't have the skills or knowledge to begin to attack the "problem" of bypassing a reg hack, nor do even the more knowledgeable among them know this is WHY they can't get on in the first place. We do remove display of all IE icons on restricted accounts, and have limited Windows Explorer to local folders only. We've actually done a pretty decent job of closing loopholes through which they might attempt unauthorized internet access, even on Windows 9x machines. They don't have access to Internet Options, registry editing tools, a command prompt, etc., can only run authorized programs, and local hard drive contents are hidden. And our students' computer access is monitored, in that staff are present and screens visible when students are using them.
There are further blocks which could be applied, such as manipulating Content Advisor settings, if you want another line of defense. If you don't mind running more than one network protocol, you might even try fiddling with TCP/IP settings. But in several years, it hasn't been a problem yet, though I'm not oblivious to the possibility--and I'm always looking for new ways to crank up security (I even challenged a gifted student who worked with me to come up with creative ways to hack our system, and used the results to improve our security). But in the end, this is less intended as an absolute lockdown than as a practical management tool. Backing everything up with written policies defining consequences for unauthorized tampering with the system is an essential element, too.
Frankly, as long as some accounts have internet access and some don't, the greater danger probably lies in students obtaining access to passwords letting them use someone else's account, which would be an issue even with a proxy server in place. We all hear that "social engineering" represents the greatest threat to most systems.
I'm not going to say this is the best possible solution, but the question was raised in the KiXtart forum, which I take to imply asking can this be done using KiXtart, and the answer is yes, it can. In our case, there are some practical problems with using a proxy server, with some machines on our network being maintained and controlled by our district, and others at our site level, with different rules and access needs being applicable. It's not necessarily that it can't be physically done, but there are some very real administrative obstacles which we're working with here. Meanwhile, we've come up with an approach that is getting the job done.
Joe
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 248 anonymous users online.
|
|
|