ICS deny access to one computer

skuz · September 7th, 2002, 01:16 AM

Is it possible when using ICS to deny web access to a particular computer without preventing it from using the local network ?

Elite_Monkey · September 7th, 2002, 01:49 AM

hhmmm i guess i don't know,,,well good luck

DVNT1 · September 7th, 2002, 03:39 AM

Yes.

One idea... if you only have one subnet then add a ficticious Default Gateway IP address to that computer. Then it won't know how to get out of the LAN.

Another idea, set the IP address manually on this computer and don't set a default Gateway IP address. An IP like 192.168.0.250 so it is unlikely ICS willl ever try to assign that IP address somewhere.

skuz · September 7th, 2002, 09:48 AM

Yes, that would work, but temporarily, since the person there knows the basics of TCP/IP configuration. I would prefer doing something on the server/gateway (Win2kpro) so he cannot fix it himself.

The goal is to block this person against his will. Sure I could buy a Cisco router and make an access list, but that's a bit expensive.

September 7th, 2002, 10:02 AM

Don't know if this would work, 'cause I don't know enough about domains and win2K, but could you set up a group in the win2k domain which has ICS turned off, or restricts their access to the ICS host (if it's not the win2kserver, that is

)? Then put this person in this group for rights?

Tell me if I'm barking up the wrong tree; as I said, I don't know much about domains, only what I've fiddled with on my home LAN in winNTserver.

Cheers
Mick

DVNT1 · September 7th, 2002, 07:05 PM

I can't think of a way to do this at the server with ICS. The best I can think of with Mickwish's idea is too set u pa special OU for this computer and create a Group Policy that makes him use a proxy address that does't exist. This would only work for IE + OE though.

If this person had a static IP address then you could block his IP address with ZA (or some 3rd party software).

If it is dynamically assigned by ICS then you need a 3rd party software that would filter on MAC address. I don't know what that would be though.

A different approach would be getting rid of ICS and use W2K Server's NAT or use a proxy application. Most proxies allow authentication methods before granting access.

skuz · September 7th, 2002, 10:41 PM

Well I'm not on a domain and he does not log on to Windows, so a GPO can't be used.

I'll try to find a solution from your answers and the ZA suggestion is a good idea.

Cyclone2 · September 8th, 2002, 08:36 AM

I believe ZA will work if you have static or dynamic ips, it will just require a different way of blocking that comp.
Will require a bit of playing around

DVNT1 · September 8th, 2002, 09:01 AM

yes, it can block the IP address regardless of how that IP address was given. Its just with a dynamic IP address you will eventually block the wrong computer when the IP addresses change.

zskillz · September 9th, 2002, 02:34 AM

couldn't you set up ICS to only allow use to members of a group... that way if he doesn't logon, then he can't use it?

-Z