Block a single computer from surfing on the Internet

To configure a single computer follow these steps:

Configuring IP Filter Lists and Filter actions

1. Open an MMC window (Start > Run > MMC).
2. Add the IP Security and Policy Management Snap-In.

3. In the Select which computer this policy will manage window select the local computer (or any other policy depending upon your needs). Click Close then click Ok.

4. Right-click IP Security Policies in the left pane of the MMC console. Select Manage IP Filter Lists and Filter Actions.

5. In the Manage IP Filter Lists and Filter actions click Add.

6. In the IP Filter List window type a descriptive name (such as HTTP, HTTPS) and click Add to add the new filters.

7. In the Welcome window click Next.
8. In the description box type a description if you want and click Next.

9. In the IP Traffic Source window leave My IP Address selected and click Next.

10. In the IP Traffic Destination window leave Any IP Address selected and click Next.

11. In the IP Protocol Type scroll to TCP and press Next.

12. In the IP Protocol Port type 80 (for HTTP) in the To This Post box, and click Next.

13. In the IP Filter List window notice how a new IP Filter has been added. Now, if you want, add HTTPS (Any IP to Any IP, Protocol TCP, Destination Port 443) in the same manner.

14. Now that you have both filters set up, click Ok.

15. Back in the Manage IP Filter Lists and Filter actions review your filters (you can add or remove more filters later). Now we'd like to add a new filter that will define the INTRANET web traffic. Again, click Add.

16. Again, give the new filter an appropriate name - for example - Intranet, and then proceed to configuring the filter by clicking Add.

17. In the IP Traffic Source window leave My IP Address selected and click Next.
18. In the IP Traffic Destination click the drop-down list and select the type of destination. For example, if you only want to allow web traffic for one specific Intranet web server called SERVER200, choose A Specific DNS Name.

Then, in the Host Name box type SERVER200 and click Next.

If you want to allow web traffic for an entire internal subnet such as 192.168.0.0/24, select A Specific IP Subnet, and type the Network ID and Subnet Mask for the required subnet. Click Next.

19. Back in the IP Filter list add any other filter you want, and finally click Ok.

Disable Internet access on a Windows PC

Solution

Here was the response from TechRepublic member zaferus: "There are two ways youcan disable Web browsing from a Windows system:

1. Go to Internet Options in the Control Panel. Go to the Connections tab and click LAN settings. Uncheck "Automatically detect settings" and then check "Use proxy server" and put settings in for a proxy server that doesn't exist. This will time out the Web browser each time a user tries to pull up an Internet site. Unfortunately, a savvy user could go into the settings and fix this.
2. Alternatively, you can set the Internet router to deny all port 80 traffic to the WAN from the IP address of the client PC you want to block. This is something that the user is less likely to figure out, and it will effectively block that one PC from Web access, while still allowing all over LAN users full access to the Internet."

TechRepublic member brianadded another option:

"Go to:

• TCP/IP Properties
• Advanced
• Options
• TCP/IP filtering Properties
• Select Enable TCP/IP filtering (All adapters)
• Select Permit Only for all three selections (TCP, UDP, IP)
• Add only the allowed ports that are needed (leaving out port 80 for Web browser traffic)
• Click OK multiple times to close out the windows

These settings could also be set in a Group Policy GPO so thatthe user can't change them. You would make a special group just for this user."