I have users on my Windows network who need to access an intranet site. However, they don't need to access the Internet, and management wants me to prevent them from doing so. Restricting access to the iexplore.exe file on the local workstations isn't an option because the file is needed to run the intranet site. We have just a basic firewall that can restrict Internet access only according to IP address, and I don't want to assign static IP addresses to these clients. How can I configure intranet access without allowing Internet access?

If you don't want to block Internet access at the firewall, you can create an IP Security Policy and use Group Policy to push it to the appropriate workstations. (Note that IP Security Policies aren't the same as IPsec. Windows implements IPsec through IP Security Policies, but IPsec is only part of IP Security Policies.)

IP Security Policies are composed of rules, and each rule has a filter list and an action. The filter list defines the packets for which Windows should execute the specified action. You can choose to allow the filtered packets, block the packets, or establish an IPsec connection to protect the packets. In the latter case, you create an IP Security Policy with two rules. The first rule blocks all outgoing connections to port 80 and port 443. The second rule permits outgoing port 80 and port 443 connections if the destination address is within your LAN's subnets.

The order of the rules doesn't matter—Windows automatically applies the most specific rule to each packet. Note, however, that this solution isn't user specific. IP Security Policies are computer-specific settings that you define under the Computer Configuration section of a Group Policy Object (GPO). Therefore, make sure you link the policy to an organizational unit (OU) or group comprised of the restricted users' computers—not their user accounts.

Be aware that the policy described above will break Windows Update. If you deploy updates through Windows Update, you need to add the appropriate DNS names of Microsoft's Windows Update sites to the permit rule's filter list so that the computers will continue to apply security updates. The sites Windows Update contacts are

  • http://windowsupdate.microsoft.com
  • http://*.windowsupdate.microsoft.com
  • https://*.windowsupdate.microsoft.com
  • http://download.windowsupdate.com
  • http://*.download.windowsupdate.com
  • http://*.windowsupdate.com
  • http://wustat.windows.com
  • http://ntservicepack.microsoft.com

Note that this list can change at any time.