In this article I’m going to go over the steps on How To Restrict Internet Access Using Group Policy (GPO). This can be especially useful for KIOSKS, lab computers, or even certain employees that spend way too much time on Youtube or other social media. The way to block it is essentially done by using a proxy server that points to the localhost. Since one won’t exist, it will show a proxy error, thus effectively blocking access to websites you don’t approve of.
This was recently the case for me, I had to block internet access to a Windows 10 user so I decided what a perfect time to share with you the steps that it takes. I should mention that the GPO works for Server 2016 as well as Server 2012R2. It is a user policy and it works with other browsers.
How To Restrict Internet Access Using Group Policy (GPO)
Now let’s walk through the steps to restrict internet access using group policy. I’m going to assume you already created the Organization Unit that you want to apply the policy to so we can skip that part.
If you would rather watch how this is configured, there is a video demo at the bottom of this article.
- Open up Group Policy Management Console (GPMC).
- Create a New Group Policy Object and name it Restrict Internet Access.
- Edit and navigate to: User Configuration -> Preferences -> Windows Settings -> Registry and create a New Registry Item.
- There are 4 registry items we need to create/update: ProxyEnable, ProxyServer, ProxyOverride, AutoDetect
The EnableProxy key will check the box to force the browser to use the proxy settings.
- Under the General Tab for the New Registry Properties:
- Action: Update. This will also create the reg key if it doesn’t exist.
- Hive: HKEY_CURRENT_USER
- Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- Value Name: ProxyEnable
- Value Type: REG_DWORD
- Value Data: 1
- Base: Hexadecimal
Repeat the same steps to create an additional registry item. The ProxyServer will point to the localhost, 127.0.0.1.
- Action: Update.
- Hive: HKEY_CURRENT_USER
- Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- Value Name: ProxyServer
- Value Type: REG_SZ
- Value Data: 127.0.0.1:80
The next reg key will allow you to bypass the proxy server and let you view sites. Typically, you should allow your own domain name so the users can gain access to internal links and any sub-domains if applicable.
- Action: Update.
- Hive: HKEY_CURRENT_USER
- Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- Value Name: ProxyOverride
- Value Type: REG_SZ
- Value Data: *toriexpress.com; <local>
The last registry item will disable/uncheck the “Automatically Detect Settings” part.
- Action: Update. This will also create the reg key if it doesn’t exist.
- Hive: HKEY_CURRENT_USER
- Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- Value Name: AutoDetect
- Value Type: REG_DWORD
- Value Data: 0
- Base: Hexadecimal
With those 4 registry settings implemented it should look like this once it has all been added.
Testing the Restrict Internet GPO
Once you add those registry keys you can see that within Internet Explorer -> Internet Options -> Connections -> LAN Settings -> the proxy settings we applied are now set. The only problem is that anyone can come in and simply overwrite the settings. Let’s fix that!
So still within Group Policy let’s navigate to User Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer set the following.
- Disable Changing Automatic Configuration Settings: Set to Enabled
- Prevent Changing Proxy Settings: Set to Enabled
On a computer with the policy applied you will now see that the same settings are greyed out and the user is getting a proxy server isn’t responding error.
Block Internet Access with Group Policy (GPO) Video Demo
I hope this post was informative and gave you an easy to follow, step by step guide on How To Restrict Internet Access Using Group Policy (GPO).
By Victor C.