PDA

View Full Version : GPO Equivalent on local machine????

Kevin
I have a few sites not on Active Directory. At thos sites I need to deploy a
few "public" machines. I only want these machines to have access to three
websites (1 internal and two external), and nothing else. I don't want them
to be able to change anything. I would like for them see as little as
possible (other than the three websites sites)

I know there are some option in the local security policy section, but this
seems to be a stripped down version compared to settings available in AD.

Is there a way to get the full AD setting options for a local machine (I
hope this makes sense).

I would even consider third party apps if necessary.

Thanks,
Kevin



Andrew Mitchell
"Kevin" said

> I have a few sites not on Active Directory. At thos sites I need to
> deploy a few "public" machines. I only want these machines to have
> access to three websites (1 internal and two external), and nothing
> else. I don't want them to be able to change anything. I would like for
> them see as little as possible (other than the three websites sites)
>
> I know there are some option in the local security policy section, but
> this seems to be a stripped down version compared to settings available
> in AD.
>
> Is there a way to get the full AD setting options for a local machine (I
> hope this makes sense).
>
> I would even consider third party apps if necessary.
>

No need. Use a local policy.
Browse to UserConfig/IEMaintenance/Connection/ProxySettings and enter a proxy
server that doesn't exist. In the exceptions list, put in the URLs that you
want them to have access to. That way, any site other than the ones you have
specified will cause IE to look for a proxy that doesn't exist and return an
error to the user.

Then you can just browse through UserConfig/AdminTemplates/WindowsComponents
and disable whatever settings you don't want the users playing around with.

Andy.
Kevin
Great idea manipulating the proxy setting! That will work for the website
issue.

There are a lot of settings in AD that do not appear in the local security
policy like: hiding local drives, disabling control panel, disabling display
settings...etc.

These are just a few examples. Is there any way to get these options on the
local machine?

Thanks again,
Kevin

"Andrew Mitchell" wrote in message
news:Xns94CAE9592CBC7casey01@207.46.248.16...
> "Kevin" said
>
> > I have a few sites not on Active Directory. At thos sites I need to
> > deploy a few "public" machines. I only want these machines to have
> > access to three websites (1 internal and two external), and nothing
> > else. I don't want them to be able to change anything. I would like for
> > them see as little as possible (other than the three websites sites)
> >
> > I know there are some option in the local security policy section, but
> > this seems to be a stripped down version compared to settings available
> > in AD.
> >
> > Is there a way to get the full AD setting options for a local machine (I
> > hope this makes sense).
> >
> > I would even consider third party apps if necessary.
> >
>
> No need. Use a local policy.
> Browse to UserConfig/IEMaintenance/Connection/ProxySettings and enter a
proxy
> server that doesn't exist. In the exceptions list, put in the URLs that
you
> want them to have access to. That way, any site other than the ones you
have
> specified will cause IE to look for a proxy that doesn't exist and return
an
> error to the user.
>
> Then you can just browse through
UserConfig/AdminTemplates/WindowsComponents
> and disable whatever settings you don't want the users playing around
with.
>
> Andy.


Kevin
I just realized... I think you might have missunderstood my post. These
machines are not on a network with AD. So there is no "user config" to
browse through. That's why I asked about local policies.

I went into the local Internet Setting and did the fake proxy trick, but the
exceptions only worked for our local Intranet. The two external sites were
also blocked, which doesn't work for me.

Any other suggestions would be appreciated.

Kevin

"Andrew Mitchell" wrote in message
news:Xns94CAE9592CBC7casey01@207.46.248.16...
> "Kevin" said
>
> > I have a few sites not on Active Directory. At thos sites I need to
> > deploy a few "public" machines. I only want these machines to have
> > access to three websites (1 internal and two external), and nothing
> > else. I don't want them to be able to change anything. I would like for
> > them see as little as possible (other than the three websites sites)
> >
> > I know there are some option in the local security policy section, but
> > this seems to be a stripped down version compared to settings available
> > in AD.
> >
> > Is there a way to get the full AD setting options for a local machine (I
> > hope this makes sense).
> >
> > I would even consider third party apps if necessary.
> >
>
> No need. Use a local policy.
> Browse to UserConfig/IEMaintenance/Connection/ProxySettings and enter a
proxy
> server that doesn't exist. In the exceptions list, put in the URLs that
you
> want them to have access to. That way, any site other than the ones you
have
> specified will cause IE to look for a proxy that doesn't exist and return
an
> error to the user.
>
> Then you can just browse through
UserConfig/AdminTemplates/WindowsComponents
> and disable whatever settings you don't want the users playing around
with.
>
> Andy.


Steven L Umbach
You have to use gpedit.msc to bring up Group Policy on the local machine and by
default the settings will apply to all users that logon to that computer even the
local administrators. In addition to Andrew's tip you can try ipsec filtering on port
80/443 to allow access to only access to the sites you desire based on IP address or
use personal firewalls on those computers to do the same or you may even be able to
do it at the perimiter firewall. See the link below for an example on ipsec
filtering. --- Steve

http://www.securityfocus.com/infocus/1559


"Kevin" wrote in message
news:e$gZdDZIEHA.3248@TK2MSFTNGP12.phx.gbl...
> I just realized... I think you might have missunderstood my post. These
> machines are not on a network with AD. So there is no "user config" to
> browse through. That's why I asked about local policies.
>
> I went into the local Internet Setting and did the fake proxy trick, but the
> exceptions only worked for our local Intranet. The two external sites were
> also blocked, which doesn't work for me.
>
> Any other suggestions would be appreciated.
>
> Kevin
>
> "Andrew Mitchell" wrote in message
> news:Xns94CAE9592CBC7casey01@207.46.248.16...
> > "Kevin" said
> >
> > > I have a few sites not on Active Directory. At thos sites I need to
> > > deploy a few "public" machines. I only want these machines to have
> > > access to three websites (1 internal and two external), and nothing
> > > else. I don't want them to be able to change anything. I would like for
> > > them see as little as possible (other than the three websites sites)
> > >
> > > I know there are some option in the local security policy section, but
> > > this seems to be a stripped down version compared to settings available
> > > in AD.
> > >
> > > Is there a way to get the full AD setting options for a local machine (I
> > > hope this makes sense).
> > >
> > > I would even consider third party apps if necessary.
> > >
> >
> > No need. Use a local policy.
> > Browse to UserConfig/IEMaintenance/Connection/ProxySettings and enter a
> proxy
> > server that doesn't exist. In the exceptions list, put in the URLs that
> you
> > want them to have access to. That way, any site other than the ones you
> have
> > specified will cause IE to look for a proxy that doesn't exist and return
> an
> > error to the user.
> >
> > Then you can just browse through
> UserConfig/AdminTemplates/WindowsComponents
> > and disable whatever settings you don't want the users playing around
> with.
> >
> > Andy.
>
>


Andrew Mitchell
"Kevin" said

> I just realized... I think you might have missunderstood my post. These
> machines are not on a network with AD. So there is no "user config" to
> browse through. That's why I asked about local policies.
>

If you run gpedit.msc it will give you a group policy editor that will apply
local policies including blocking control panel, display properties etc.

I would strongly suggest you read
http://support.microsoft.com/default.aspx?scid=kb;EN-US;293655 before doing
this, because by default local policies apply to all users including
administrators and you risk locking yourself out of your own computer.

> I went into the local Internet Setting and did the fake proxy trick, but
> the exceptions only worked for our local Intranet. The two external
> sites were also blocked, which doesn't work for me.
>

You need to do it through gpedit and place the sites you want access to in
the Bypass Proxy list.

Andy.
Kevin
Thanks and I will read the article.

Kevin

"Andrew Mitchell" wrote in message
news:Xns94CBC6512B87Ecasey01@207.46.248.16...
> "Kevin" said
>
> > I just realized... I think you might have missunderstood my post. These
> > machines are not on a network with AD. So there is no "user config" to
> > browse through. That's why I asked about local policies.
> >
>
> If you run gpedit.msc it will give you a group policy editor that will
apply
> local policies including blocking control panel, display properties etc.
>
> I would strongly suggest you read
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;293655 before
doing
> this, because by default local policies apply to all users including
> administrators and you risk locking yourself out of your own computer.
>
> > I went into the local Internet Setting and did the fake proxy trick, but
> > the exceptions only worked for our local Intranet. The two external
> > sites were also blocked, which doesn't work for me.
> >
>
> You need to do it through gpedit and place the sites you want access to in
> the Bypass Proxy list.
>
> Andy.


Kevin
This is what I was looking for.

Thanks,
Kevin

"Steven L Umbach" wrote in message
news:v9Yec.30283$wP1.81765@attbi_s54...
> You have to use gpedit.msc to bring up Group Policy on the local machine
and by
> default the settings will apply to all users that logon to that computer
even the
> local administrators. In addition to Andrew's tip you can try ipsec
filtering on port
> 80/443 to allow access to only access to the sites you desire based on IP
address or
> use personal firewalls on those computers to do the same or you may even
be able to
> do it at the perimiter firewall. See the link below for an example on
ipsec
> filtering. --- Steve
>
> http://www.securityfocus.com/infocus/1559
>
>
> "Kevin" wrote in message
> news:e$gZdDZIEHA.3248@TK2MSFTNGP12.phx.gbl...
> > I just realized... I think you might have missunderstood my post. These
> > machines are not on a network with AD. So there is no "user config" to
> > browse through. That's why I asked about local policies.
> >
> > I went into the local Internet Setting and did the fake proxy trick, but
the
> > exceptions only worked for our local Intranet. The two external sites
were
> > also blocked, which doesn't work for me.
> >
> > Any other suggestions would be appreciated.
> >
> > Kevin
> >
> > "Andrew Mitchell" wrote in message
> > news:Xns94CAE9592CBC7casey01@207.46.248.16...
> > > "Kevin" said
> > >
> > > > I have a few sites not on Active Directory. At thos sites I need to
> > > > deploy a few "public" machines. I only want these machines to have
> > > > access to three websites (1 internal and two external), and nothing
> > > > else. I don't want them to be able to change anything. I would like
for
> > > > them see as little as possible (other than the three websites sites)
> > > >
> > > > I know there are some option in the local security policy section,
but
> > > > this seems to be a stripped down version compared to settings
available
> > > > in AD.
> > > >
> > > > Is there a way to get the full AD setting options for a local
machine (I
> > > > hope this makes sense).
> > > >
> > > > I would even consider third party apps if necessary.
> > > >
> > >
> > > No need. Use a local policy.
> > > Browse to UserConfig/IEMaintenance/Connection/ProxySettings and enter
a
> > proxy
> > > server that doesn't exist. In the exceptions list, put in the URLs
that
> > you
> > > want them to have access to. That way, any site other than the ones
you
> > have
> > > specified will cause IE to look for a proxy that doesn't exist and
return
> > an
> > > error to the user.
> > >
> > > Then you can just browse through
> > UserConfig/AdminTemplates/WindowsComponents
> > > and disable whatever settings you don't want the users playing around
> > with.
> > >
> > > Andy.
> >
> >
>
>


=?Utf-8?B?V1QgRHVrZQ==?=
Kevin

The method in the MS kb article is pretty convoluted, though it does work. I found a better method, read the following linked page

http://is-it-true.org/nt/nt2000/atips/atips131.shtm

Hope this helps!