Restrict Computer or Users from Internet but allow access to intranet and Windows Update / ePO?
So this may be impossible but I've been asked to try and find something about it. So far nothing I have found is possible.
I need to restrict specific machines or user accounts from regular Internet access but let them have access to the intranet portion of our network. I do not have Active Directory control, nor does anyone at my local workplace (corporate control in a different state). I have tried going through IPsec and doing this per local machine, but that system seems to have been removed from the images that are installed on these machines so that is out.
So far the only other option I can think of is assigning the machines a specific ip address and removing their gateway access. This would probably work but the machines need to be able to receive updates that are being pushed to them through ePO and LanDesk.
I would really like to do this on the user level because then if I need to do tech work to the machine and need internet access I can get to it but a "special" user could login and not be able to get into anything.
Solution 1:
I found out how I'm going to do it. Created a special noaccess.rat file for content advisor for internet explorer. Added the addresses that they need access to and nothing else. Problem solved.
Solution 2:
External firewall / router is probably the most secure. You could set up a walled garden / captive portal (much like the ones that you get when you log into a wifi hotspot) which permits access to your update services but nothing else unless a superuser password is entered.