none
want to centrally control the restricted sites on a windows7 IE8 client in a 2008 R2 domain

    Question

  • I am building a new Lab. I want /need it to be 100% Microsoft products.
    I have years of experience in the systems management but am struggling in some client management areas.

    The Question
    I want to centrally control the restricted sites on a windows7 IE8 client in a 2008 R2 domain.

    Background.
    Previously I would have implemented a dual NIC ISA server and configured this accordingly.
    I have to admit I found this a pain and a bit of a dark art that I never quite mastered because once set up I never really messed with it. Initially I tried this in my 2008R2 domain and came across little quirks and peculiarities, as well as articles and documents that suggested ISA in not supported in 2008R2. So ISA is out the picture.

    2008 NAP and NPS seems to be the way forward.
    I have been reading up on this for over a 2 weeks now and am still not sure what solution to investigate. I did find out how to secure the Wireless using nap and certificates and my first shot at that is working after a fashion.

    For the IE clients I’ve got as far as thinking that I can use a gpo for machine / and user to implement IE Content  Advisor policy.
    I see a hurdle here in that the machine policy takes pres over user policy. But my approach would be to have every machine banned from XXX sites. And every default user banned from everything else.
    Add granularity by lifting the blanket user ban for certain users via AD  groups to certain sites.
    from my poking around and reading I think I can do this. IF it is the correct way to go.

    One thing I am not sure of using this option is where one lists / modifies the lists/database of banned sites. And how one could monitor/report on compliance attempted infringements of the rules.

    Because of what I learnt when securing the Wireless I am going to totally rebuild yet again (well roll back some VMs actually) This time id like to secure the IE before the wireless.

    Anyone care to point me in the right direction ?

     

    Thanks.

    Wednesday, April 28, 2010 3:02 PM

Answers

  • Hi,

     If you are referring to the restricted sites zone in IE, that does not ban users or computers from visiting sites, it only configured a group of sites to have a higher level of browser security settings. The list of sites in that zone can be managed via GPO using the setting User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment list.

     

     If the goal is to prevent certain users from browsing to certain sites, a proxy server is the way to go. ISA is now a legacy product (which is why it doesn't support the latest OS). The new product is called Forefront Threat Management Gateway (TMG). If you set up a TMG server as a domain member and use it as either a proxy (by configure IE proxy on all machines to it) or as a firewall (by configuring the default gateway of clients to it) you can configure rules that will prevent users from accessing certain sites. You will need to manually configure the site list. If you need a dynamic list, you can subscribe to the Microsoft URL filtering content service and then block access to sites using categories (http://blogs.technet.com/isablog/archive/2010/01/03/categories-for-url-filtering.aspx).

     

    As far as NAP/NPS, these technologies are used to validate certain settings on client machines before giving them access to the network. You can require systems to have current anti virus products, a host based firewall enabled, etc before they get access to the network. Not sure how this would apply in this case.

     

    If I misunderstood your goals, let me know.

     

    Thanks,

    Guy

    Wednesday, April 28, 2010 4:18 PM

All replies

  • Hi,

     If you are referring to the restricted sites zone in IE, that does not ban users or computers from visiting sites, it only configured a group of sites to have a higher level of browser security settings. The list of sites in that zone can be managed via GPO using the setting User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment list.

     

     If the goal is to prevent certain users from browsing to certain sites, a proxy server is the way to go. ISA is now a legacy product (which is why it doesn't support the latest OS). The new product is called Forefront Threat Management Gateway (TMG). If you set up a TMG server as a domain member and use it as either a proxy (by configure IE proxy on all machines to it) or as a firewall (by configuring the default gateway of clients to it) you can configure rules that will prevent users from accessing certain sites. You will need to manually configure the site list. If you need a dynamic list, you can subscribe to the Microsoft URL filtering content service and then block access to sites using categories (http://blogs.technet.com/isablog/archive/2010/01/03/categories-for-url-filtering.aspx).

     

    As far as NAP/NPS, these technologies are used to validate certain settings on client machines before giving them access to the network. You can require systems to have current anti virus products, a host based firewall enabled, etc before they get access to the network. Not sure how this would apply in this case.

     

    If I misunderstood your goals, let me know.

     

    Thanks,

    Guy

    Wednesday, April 28, 2010 4:18 PM
  • Thanks Guy

    Perfect answer. Its TMG that I need.

    The explanations of IE Restricted Zones and NAP/NPS has also shed some light.
    Thanks for such a complete reply.

     

     

     

    Thursday, April 29, 2010 1:24 AM