How to block Internet access using Group Policy (GPO)
This article will show you how to block Internet access for users or computers in the Active Directory Group Policy Object. This feature has been tested on Windows 7, Windows 10 and it works great!
There are many tutorials detailing how to block access through implementing a non-existing proxy. This method will work for some things, but the problem is that not all software necessarily uses these settings to connect to the Internet, and does not necessarily prevent a specific user from using these settings. .
This guide recommends using Windows Firewall managed through Active Directory to block all additional Internet IP addresses, enforcing non-existent proxies.
Without doing both, proxies can exist on your network in private (permitted) IP ranges and thus have Internet activity. You can apply this group policy to individual users or entire organizational units, as appropriate, and it will work well on all devices.
Please note that with Windows Firewall, the order of rules does not really matter, Block actions will take precedence over Allow rules. Therefore, all non-private IP ranges must be blocked, or in other words, all IP addresses on the internet at large, without even specifying private RFC 1918 and RFC 5735 ranges.
Summary version
Create a Windows Firewall policy and specify these IP address ranges in the BLOCK rule:
- 0.0.0.1 - 9.255.255.255
- 11.0.0.0 - 126.255.255.255
- 128.0.0.0 - 169.253.255.255
- 169.255.0.0 - 172.15.255.255
- 172.32.0.0 - 192.167.255.255
- 192.169.0.0 - 198.17.255.255
- 198.20.0.0 - 255.255.255.254
Also creates a non-existing proxy and prevents users from changing this setting.
Windows Firewall GPO
Edit Group Policy as you normally would and select an appropriate object to apply the new policy to.
Give it a reasonable name and click OK.
And then in the right screen, edit the GPO you just created.
Next, navigate to Policies – Windows Settings – Security Settings – Windows Firewall with Advanced Security – Outbound Rules .
On the right panel, right-click and select 'New Rule…'.
In the pop-up box, select 'Custom Rule' and then click Next.
Leave the default option of 'All Programs' and click Next.
Leave the protocol default as 'Any' and click Next.
This next screen is where you will add the majority of your settings, in the 'Remote IP addresses' section select 'These IP addresses' and click 'Add'.
In the next pop-up window, you need to add some IP ranges, so click 'This IP Range' and enter the range 0.0.0.1 – 9.255.255.255 , like this:
You will have to repeat the two steps above to add the following IP ranges:
- 0.0.0.1 - 9.255.255.255
- 11.0.0.0 - 126.255.255.255
- 128.0.0.0 - 169.253.255.255
- 169.255.0.0 - 172.15.255.255
- 172.32.0.0 - 192.167.255.255
- 192.169.0.0 - 198.17.255.255
- 198.20.0.0 - 255.255.255.254
When you complete that list you will have a screen that looks like this, if you are satisfied click Next.
On the next screen, make sure the action is marked as 'Block' and click 'Next'.
In your profile, you may want to highlight all of these locations and then click 'Next'.
Give the rule a reasonable name and click 'Finish'.
Install Internet GPO
Next, you will need to set up a fake proxy. You may need to download the IE admin package first.
Navigate to User Configuration – Preferences – Control Panel Settings – Internet Settings and right click on the create new settings option in the right panel.
Then click Connections , then LAN Settings.
In the box that appears, check 'Use a proxy server for your LAN' and in the address box, enter '127.0.0.1' on port '3128' , like this:
Then click OK twice to return to the main GPO screen.
Next in the GPO, go to User Configuration – Administrative Templates – Windows Components – Internet Explorer .
On the right side, you need to find the option that says 'Disable changing connection settings' . When you see it, open it by double clicking on it.
Enable this setting and click OK.
Close all GPO windows and you're done!
You should read it
- Secure Endpoint with Group Policy
- 8 'tweak' Windows Group Policy any Admin should know
- Use Group Policy Filtering to create a NAP DHCP enforcement policy - Part 1
- How to reset Local Group Policy settings on Windows 10
- Block web browser with IPSec
- Control Wifi access using Group Policy
- 4 tips to open Local Group Policy Editor on Windows 8 / 8.1
- Install the printer using Group Policy Object
- How to apply Group Policy only to non-administrators in Windows 10
- Configure App-V with Group Policy Objects
- Steps to block others from adding to Telegram group
- Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 2
Maybe you are interested
How to use Auto Clicker Assist to automatically click the mouse
Instructions to fix double click error on computer mouse - Click once becomes twice
PowerToys will soon support creating app spaces and launching with just one click
Turn Windows 11 interface into Windows 10 with just one click
Fix right-click issue on Windows 10
Do not click on strange links or your phone will be hijacked