Had an interesting request about denying internet access to a particular user account on a Windows machine. This exercise showed me again that is usually more than one way to accomplish something. The first hurdle was that this needed to be done on different versions of Windows. It was already done on a Windows XP machine via NTFS permissions. I had to find a way to do it on Windows Vista Home Premium and Windows 7 Enterprise.
On Windows Vista Home Premium (HP), the process was actually fairly easy. Windows Vista HP has Parental Controls in it, which helped us accomplish our goal. Specifically, it was the Vista Web Filtering tools built-in to the Parental Controls. First, turn on the Parental Controls found in Control Panel. Next click through to the Web Filtering tool and enable the sites allowed option. The key to make this work is to make sure to NOT list any sites to be allowed. This will block all connections via a web browser. What's more, I tested this through Firefox in the account controlled by Parental Controls as well and it worked too.
Windows 7 did away with the Web Filter tools in Parental Controls. Had to find another way to do it. A Google search yielded the path of using a proxy address to control the flow. The nice thing about this solution is that proxy configurations are now user-specific, which means it only affects the one user and not all users. Here are the steps:
1. While in the user account that needs to be limited, setup a proxy server address in Internet Options > Connections > LAN settings. I used 127.0.0.1.
2. Log out and login to an account with administrative access.
3. Launch Local Group Policy Editor (gpedit.msc).
4. Under User Configuration > Administrative Templates > Windows Components > Internet Explorer > Browser Menus, enable the Tools menu: Disable Internet Options... menu option. This will disable access to Internet Options from Internet Explorer.
5. In the same window for Local Group Policy Editor, go to User Configuration > Administrative Templates and click on Control Panel.
6. Open the option for Hide specified Control Panel items and enable it. Then click on the Show button.
7. In a blank field under the Value column, type in Microsoft.InternetOptions. This disables access to the Internet Options area from the Windows Control Panel.
8. Hit OK, OK, and close out the Local Group Policy Editor.
A few pertinent notes here: we were only concerned with blocking browser access. There are, of course, other ways to get connected, but that's a task for another day. Also, these machines were not joined to any domain, only setup as stand-alone machines. Finally, the locking out of Internet Options at the Internet Explorer level and the Control Panel level is effective for all users, unlike the proxy setting that only affects the one user. Also, always make sure to test before deploying.
Update (2012_02_02): Before locking out Internet Options, check this setting. In Internet Options > Connections > LAN Settings, make sure to uncheck Automatically detect settings. This ensures that the proxy settings are used every time (Thanks to my colleague, Erin for pointing this out.)
Happy Computing.