2

How do I create a Group Policy that will prevent my users from accessing specific web-sites? I am at the 2008r2 functional level.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
Ahmad
  • 21
  • 1
  • 1
  • 2
  • 1
    The thing you want to achive is mostly done by transparent proxy serwer on gateway not by gpo – Alan Nov 14 '11 at 13:58

3 Answers3

6

You need to set up an outbound proxy (Threat Management Gateway, Squid, etc) and use Group Policy to force Internet Explorer to pass all traffic though this proxy if it is not in-line. If you make the proxy in-line, then all traffic will, obviously, pass through it regardless of IE settings, making the GPO pointless.

You cannot accomplish this natively though GPO without doing something kludgey like making a hosts file on a network share with the appropriate sites blocked and using the Group Policy Preferences file update setting to push it to computers. I really advise against this. Take the time to set up a proxy and do it the right way.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • 1
    This is more of an answer. I would add that if it's not inline, you really should set up Access Control so that your domain computers can not get out without going through the proxy. – Dan Nov 14 '11 at 14:06
  • @Dan Completely agreed. I thought about adding that, but didn't want to muddy the waters too much. It's a very valid addition, though. – MDMarra Nov 14 '11 at 14:07
3

There's no built in standard way to achieve this using Group Policy.

Dan
  • 15,430
  • 1
  • 36
  • 67
1

For a Computer policy, one possible method is to use a hosts file. You could create a custom hosts file that contains the names that you want to block, and deploy that using the Group Policy Preferences feature to copy files. (Computer Configuration > Preferences > Windows settings > Files).

Keep in mind that this approach may not offer the granularity desired in all scenarios, and you cannot block a tld in a hosts file, only specific names. It may also not be appropriate if the hosts file is in use for other pre-existing names. A typical entry may be: 

127.0.0.1 localhost facebook.com www.facebook.com

Some domains are difficult to block due to the large number of host names and different fqdn's required.

For the file source, you could specify: 

\\domain.com\SysVol\domain.com\Policies\{GPO guid}\Machine\Preferences\Files

And be sure to copy the modified hosts file to that location.

File destination would be: %systemroot%\system32\drivers\etc\hosts

The "Action" would be "Replace".

Note that the normal group policy refresh applies to this GPO. Testing has conformed that the file will be re-copied at the normal interval (by default, 90 minutes for a computer gpo).

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • The downside to this (besides the terrible manageability) is that is a user is an administrator, it can be circumvented easily. – MDMarra Nov 14 '11 at 20:06
  • 1
    That downside would apply to any GPO. All group policies are easily circumvented by someone with administrator permissions. – Greg Askew Nov 14 '11 at 20:32
  • Some more easily than others. Group Policy File Preferences only apply at logon, others refresh at the specified background interval. – MDMarra Nov 14 '11 at 20:40