HomeSystemLAN - WANHow to block Internet access using Group Policy (GPO)

How to block Internet access using Group Policy (GPO)

This article will show you how to block Internet access for users or computers in the Active Directory Group Policy Object. This feature has been tested on Windows 7, Windows 10 and it works great!

There are many tutorials detailing how to block access through implementing a non-existing proxy. This method will work for some things, but the problem is that not all software necessarily uses these settings to connect to the Internet, and does not necessarily prevent a specific user from using these settings. .

This guide recommends using Windows Firewall managed through Active Directory to block all additional Internet IP addresses, enforcing non-existent proxies.

Without doing both, proxies can exist on your network in private (permitted) IP ranges and thus have Internet activity. You can apply this group policy to individual users or entire organizational units, as appropriate, and it will work well on all devices.

Please note that with Windows Firewall, the order of rules does not really matter, Block actions will take precedence over Allow rules. Therefore, all non-private IP ranges must be blocked, or in other words, all IP addresses on the internet at large, without even specifying private RFC 1918 and RFC 5735 ranges.

Summary version

Create a Windows Firewall policy and specify these IP address ranges in the BLOCK rule:

  1. 0.0.0.1 - 9.255.255.255
  2. 11.0.0.0 - 126.255.255.255
  3. 128.0.0.0 - 169.253.255.255
  4. 169.255.0.0 - 172.15.255.255
  5. 172.32.0.0 - 192.167.255.255
  6. 192.169.0.0 - 198.17.255.255
  7. 198.20.0.0 - 255.255.255.254

Also creates a non-existing proxy and prevents users from changing this setting.

Windows Firewall GPO

Edit Group Policy as you normally would and select an appropriate object to apply the new policy to.

How to block Internet access using Group Policy (GPO) Picture 1

Give it a reasonable name and click OK.

And then in the right screen, edit the GPO you just created.

Next, navigate to Policies – Windows Settings – Security Settings – Windows Firewall with Advanced Security – Outbound Rules .

How to block Internet access using Group Policy (GPO) Picture 2

On the right panel, right-click and select 'New Rule…'.

In the pop-up box, select 'Custom Rule' and then click Next.

Leave the default option of 'All Programs' and click Next.

Leave the protocol default as 'Any' and click Next.

This next screen is where you will add the majority of your settings, in the 'Remote IP addresses' section select 'These IP addresses' and click 'Add'.

In the next pop-up window, you need to add some IP ranges, so click 'This IP Range' and enter the range 0.0.0.1 – 9.255.255.255 , like this:

 

How to block Internet access using Group Policy (GPO) Picture 3

You will have to repeat the two steps above to add the following IP ranges:

  1. 0.0.0.1 - 9.255.255.255
  2. 11.0.0.0 - 126.255.255.255
  3. 128.0.0.0 - 169.253.255.255
  4. 169.255.0.0 - 172.15.255.255
  5. 172.32.0.0 - 192.167.255.255
  6. 192.169.0.0 - 198.17.255.255
  7. 198.20.0.0 - 255.255.255.254

When you complete that list you will have a screen that looks like this, if you are satisfied click Next.

How to block Internet access using Group Policy (GPO) Picture 4

On the next screen, make sure the action is marked as 'Block' and click 'Next'.

In your profile, you may want to highlight all of these locations and then click 'Next'.

Give the rule a reasonable name and click 'Finish'.

Install Internet GPO

Next, you will need to set up a fake proxy. You may need to download the IE admin package first.

Navigate to User Configuration – Preferences – Control Panel Settings – Internet Settings and right click on the create new settings option in the right panel.

Then click Connections , then LAN Settings.

In the box that appears, check 'Use a proxy server for your LAN' and in the address box, enter '127.0.0.1' on port '3128' , like this:

How to block Internet access using Group Policy (GPO) Picture 5

Then click OK twice to return to the main GPO screen.

How to block Internet access using Group Policy (GPO) Picture 6

Next in the GPO, go to User Configuration – Administrative Templates – Windows Components – Internet Explorer .

On the right side, you need to find the option that says 'Disable changing connection settings' . When you see it, open it by double clicking on it.

Enable this setting and click OK.

Close all GPO windows and you're done!

4.8 ★ | 4 Vote

You should read it

May be interested

  • Difference between Segment and Backbone in networkPhoto of Difference between Segment and Backbone in network
    a network segment is a logical division of a local network, often linked to other segments by routers or bridges. on the other hand, a backbone is a high-bandwidth link, used to transmit traffic between networks or over large physical distances.
  • Learn about Border Gateway Protocol (BGP)Photo of Learn about Border Gateway Protocol (BGP)
    border gateway protocol (bgp) is used to exchange routing information for the internet and is the protocol used between isps (which are different ass).
  • How to assign a static IP address in Windows 11, 10, 8, 7, XP or VistaPhoto of How to assign a static IP address in Windows 11, 10, 8, 7, XP or Vista
    sometimes, it's better to assign an ip address to a computer so that the router automatically assigns the ip address. let's read this article to know how to assign static ip addresses in windows.
  • How to Detect Remotely Accessed ComputersPhoto of How to Detect Remotely Accessed Computers
    surely there are few things that make you feel as scared as having your personal computer hacked. if you think your computer is being controlled by a hacker, the first thing you should do is disconnect from the network. once you're offline, you can find and remove the gateway the hacker used to access your system. once your system is secure, there are several steps you can take to keep your computer from being hacked.
  • How to Talk to a Vodafone Customer Service RepresentativePhoto of How to Talk to a Vodafone Customer Service Representative
    when you have a problem with your phone or vodafone service package, it will be very difficult and annoying if you want to talk directly to a switchboard operator. for the fastest response, call the vodafone customer care hotline in your current country, or use the online messaging feature. for less urgent matters, you can email vodafone's international services page.vodafone contact information:in india: call +91 982 009 8200 or dial 199 from a mobile phone.plus republic of ireland: call 1800 805 014.in the uk: call 03333 040 191 or dial 191 from a mobile phone.abroad: call +44 7836 191 191.send an email from any country to: vodafonecare. mum@vodafone.com
  • How to Get MAC Address Using Remote IP AddressPhoto of How to Get MAC Address Using Remote IP Address
    do you need to determine the mac address of a certain computer on the network? whether you are using windows, macos or linux, you can easily find the mac address of any server on your local network with a few simple commands. today's tipsmake will show you how to use commands like arp and getmac to determine the mac address of a specific ip or hostname, in addition to how to use the nmap command to see all mac addresses in the network.

LAN - WAN