Disable Interner access to user via GPO


  • Win Server 2008 R2, how to disable the users from accessing Internet which are in that OU?
    Thursday, April 21, 2016 6:10 AM


  • Hi,

    Thanks for your post.

    Based on my experience, disabling Internet access using software on the client is inherently difficult. The client isn't aware of what is an internal resource as opposed to an Internet resource. You can use GPOs to disable specific programs (like browsers) or to change how traffic is routed by the client but in order to effectively control who can and can't access the Internet, your best bet is a perimeter device like a proxy or firewall that sits between your clients and the Internet and is integrated with AD so it can manage access to the Internet based on users, groups, IP addresses, etc.

    The closest you can come without a proxy is to configure a proxy server address for those users using the Internet Explorer Maintenance component (found under User Configuration\Windows Settings). This proxy can either be a nonexistent address or if you want more control over the error messages users get, it can be an internal web server with a page that provide a custom message. The same configuration will allow you to list specific URLs that are exempt in case you have specific web sites, internal or external that must be available.

    Note that this option will apply to all browsing, internal and Internet based, but will only impact IE. Internet access using other browsers or other software will not be impacted unless that software leverages the IE proxy configuration (which many applications do). 

    Best Regards,

    Alvin Wang

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact

    Thursday, April 21, 2016 8:07 AM