Restricting Specific Web Sites in Internet Explorer Using Group Policy
Are you aware there are Web sites that you should not allow your employees to visit? Of course you are! Now, are you aware that you can configure Internet Explorer to restrict access to these Web sites? I am sure some of you are fully aware of this as well. Now, are you aware that you can use Group Policy to restrict these Web sites? Now I have your attention... don't I!? It is true that there are Web sites that should be restricted for many of your employees. It is also true that some employees need to have different Web sites restricted when compared to other employees. However, I will show you how to use Group Policy to restrict Web sites, then I will take it one step further to show you how you can restrict different users from one another.
Restricted Sites in Internet Explorer
If you were not aware of it, Internet Explorer provides a security feature that allows for the blocking of specified Web addresses. The setting is designed to help protect direct access to these sites, as well as redirected inquires to the specified sites. The setting has been around for many versions of Internet Explorer and can be found on the Content tab of the Internet Explorer Options dialog box.
Yes, the Content tab! I am sure that many of you want to use the Security tab and the Restricted Sites one, but this does not actually restrict the site, it just limits what can be viewed on the site.
The most recent versions of Internet Explorer (5, 6, 7, and 8) all provide support for establishing a list of Web sites that are not allowed. To access and configure your list of restricted sites for these versions of Internet Explorer you need to access the Internet Options. Depending on the version of Internet Explorer you are running, you will find it in a different location. For version 7, you will use the Tools drop down list found on the right hand side of the tool bar, then select the Internet Options menu option. You will be presented a dialog box for the Internet Options, like the one shown in Figure 1.
Figure 1: Internet Options for Internet Explorer version 7
To restrict sites through Internet Explorer, click on the Content tab on the Internet Options dialog box, then, click on the Restricted Sites icon under the zone area, which is shown in Figure 2.
Figure 2: Content tab within the Internet Options dialog box
To configure the sites that you want to restrict for the computer, click on the Approved Sites tab, which is shown in Figure 3.
Figure 3: Approved Sites tab for the Content Advisor settings for Internet Explorer
To add a site, type it into the "Allow this website:" text box, then click the Never button. When you have configured all of the sites that you want to restrict, click the Apply button.
Next, you will want to control websites that do not have any content ratings. This is key, as if you do not allow this option, some sites will not be visible by your end user. To configure this setting, you will now need to click on the General tab within the Content Advisor dialog box. This tab is directly next to the Approved Sites tab you just configured. The General tab is shown in Figure 4.
Figure 4: General tab to configure Content ratings for Internet Explorer
On this tab, you will want to ensure that the first check box is configured, which is the one for "Users can see websites that have no rating". As far as the second checkbox goes, you can decide if you want to provide the password so that some users and or IT staff can see blocked sites using a password.
Once you have blocked a Web site, the system should give you a dialog box indicating that the site is blocked, such as the one shown in Figure 5.
Figure 5: When a site is blocked, the system will show a dialog box indicating that the site is blocked
Blocking Web Sites Using Group Policy
When you want to distribute the list of blocked sites to all of your employees, you can either do this manually or with Group Policy. If you use Group Policy, you can simply configure the list of blocked sites one time, then let Group Policy processing deploy the setting to every computer with no additional effort from you.
In order to use Group Policy to distribute the list of Approved sites that are blocked, you will first need to create and configure a GPO for your domain. Since this GPO will affect every user, you can link the GPO to the domain node. You can use the GPMC to do this.
Then, once you have the GPO created and linked, you will want to edit the GPO. Once you have the GPO in the editor, you will want to expand the User Configuration node down to Policies|Windows Settings|Internet Explorer Maintenance|Security|Security Zones and Content Ratings. When you have expanded down to this node, double click on the Security Zones and Content Ratings policy to open up the dialog box which is shown in Figure 6.
Figure 6: Security Zones and Content Ratings Dialog box from a GPO
Here are the tricky parts! The computer that you are editing the GPO on MUST be running the same version of Internet Explorer that the target computers are running on. The reason is that Internet Explorer stores content rating information in different files depending on the version. Also, you must configure the Internet Explorer settings for content rating on the computer where you are editing the GPO because you will be "importing" the settings from the local computer into the GPO.
Never edit the Internet Explorer maintenance settings on a GPO running a different version of Internet Explorer than what the GPO settings were originally created. This can cause issues within both the GPO and the target computer receiving the settings.
To configure the settings for content ratings, you select the radio button under the content ratings section labeled "Import the current Content Ratings settings." My suggestion is for you to also select the Modify Settings button to ensure that you have the correct settings. You just want to follow the same steps as you did above in the article when you manually configured the settings.
Once you have completed the import step and configured the settings, you only need to click the OK button and let Group Policy processing do the rest. If you want to have the settings apply faster, you can of course run gpupdate on the target computer to have the settings apply immediately.
Blocking Web Sites for Some Users, But Not All Users
In order to block Web sites for some users and not all, you will follow the same steps as you did in the last section, but instead of linking the GPO to the domain, link it to an organizational unit (OU) where all of the users are located that will receive the setting. This will ensure that the settings in the GPO linked to the OU only affect the users in that OU and not anywhere else in Active Directory.
As you can see, blocking Web sites is not that hard within Internet Explorer. You can use three different methods to deploy your settings. You can manually configure Internet Explorer on every computer where you want to block the sites. This can be cumbersome and very time consuming, but effective. You can configure all computers the exact same by using Group Policy within Active Directory and linking the GPO to the domain. This will affect every user in the domain, including IT staff and Executives. Finally, if you want to configure only a subset of users, you can link a GPO to an OU containing all of the users, which will narrow down the scope of which users are effective. Regardless of your choice, you can now help protect which Web sites employees can access using Internet Explorer.