How to block Internet access using Group Policy (GPO)

This article will show you how to block Internet access for users or computers in the Active Directory Group Policy Object. This feature has been tested on Windows 7, Windows 10 and it works great!

This article will show you how to block Internet access for users or computers in the Active Directory Group Policy Object. This feature has been tested on Windows 7, Windows 10 and it works great!

There are many tutorials detailing how to block access through implementing a non-existing proxy. This method will work for some things, but the problem is that not all software necessarily uses these settings to connect to the Internet, and does not necessarily prevent a specific user from using these settings. .

This guide recommends using Windows Firewall managed through Active Directory to block all additional Internet IP addresses, enforcing non-existent proxies.

Without doing both, proxies can exist on your network in private (permitted) IP ranges and thus have Internet activity. You can apply this group policy to individual users or entire organizational units, as appropriate, and it will work well on all devices.

Please note that with Windows Firewall, the order of rules does not really matter, Block actions will take precedence over Allow rules. Therefore, all non-private IP ranges must be blocked, or in other words, all IP addresses on the internet at large, without even specifying private RFC 1918 and RFC 5735 ranges.

Summary version

Create a Windows Firewall policy and specify these IP address ranges in the BLOCK rule:

  1. 0.0.0.1 - 9.255.255.255
  2. 11.0.0.0 - 126.255.255.255
  3. 128.0.0.0 - 169.253.255.255
  4. 169.255.0.0 - 172.15.255.255
  5. 172.32.0.0 - 192.167.255.255
  6. 192.169.0.0 - 198.17.255.255
  7. 198.20.0.0 - 255.255.255.254

Also creates a non-existing proxy and prevents users from changing this setting.

Windows Firewall GPO

Edit Group Policy as you normally would and select an appropriate object to apply the new policy to.

How to block Internet access using Group Policy (GPO) Picture 1How to block Internet access using Group Policy (GPO) Picture 1

Give it a reasonable name and click OK.

And then in the right screen, edit the GPO you just created.

Next, navigate to Policies – Windows Settings – Security Settings – Windows Firewall with Advanced Security – Outbound Rules .

How to block Internet access using Group Policy (GPO) Picture 2How to block Internet access using Group Policy (GPO) Picture 2

On the right panel, right-click and select 'New Rule…'.

In the pop-up box, select 'Custom Rule' and then click Next.

Leave the default option of 'All Programs' and click Next.

Leave the protocol default as 'Any' and click Next.

This next screen is where you will add the majority of your settings, in the 'Remote IP addresses' section select 'These IP addresses' and click 'Add'.

In the next pop-up window, you need to add some IP ranges, so click 'This IP Range' and enter the range 0.0.0.1 – 9.255.255.255 , like this:

 

How to block Internet access using Group Policy (GPO) Picture 3How to block Internet access using Group Policy (GPO) Picture 3

You will have to repeat the two steps above to add the following IP ranges:

  1. 0.0.0.1 - 9.255.255.255
  2. 11.0.0.0 - 126.255.255.255
  3. 128.0.0.0 - 169.253.255.255
  4. 169.255.0.0 - 172.15.255.255
  5. 172.32.0.0 - 192.167.255.255
  6. 192.169.0.0 - 198.17.255.255
  7. 198.20.0.0 - 255.255.255.254

When you complete that list you will have a screen that looks like this, if you are satisfied click Next.

How to block Internet access using Group Policy (GPO) Picture 4How to block Internet access using Group Policy (GPO) Picture 4

On the next screen, make sure the action is marked as 'Block' and click 'Next'.

In your profile, you may want to highlight all of these locations and then click 'Next'.

Give the rule a reasonable name and click 'Finish'.

Install Internet GPO

Next, you will need to set up a fake proxy. You may need to download the IE admin package first.

Navigate to User Configuration – Preferences – Control Panel Settings – Internet Settings and right click on the create new settings option in the right panel.

Then click Connections , then LAN Settings.

In the box that appears, check 'Use a proxy server for your LAN' and in the address box, enter '127.0.0.1' on port '3128' , like this:

How to block Internet access using Group Policy (GPO) Picture 5How to block Internet access using Group Policy (GPO) Picture 5

Then click OK twice to return to the main GPO screen.

How to block Internet access using Group Policy (GPO) Picture 6How to block Internet access using Group Policy (GPO) Picture 6

Next in the GPO, go to User Configuration – Administrative Templates – Windows Components – Internet Explorer .

On the right side, you need to find the option that says 'Disable changing connection settings' . When you see it, open it by double clicking on it.

Enable this setting and click OK.

Close all GPO windows and you're done!

4.8 ★ | 4 Vote