In this article I’m going to go over the steps on How To Restrict Internet Access Using Group Policy (GPO). This can be especially useful for KIOSKS, lab computers, or even certain employees that spend way too much time on Youtube or other social media. The way to block it is essentially done by using a proxy server that points to the localhost. Since one won’t exist, it will show a proxy error, thus effectively blocking access to websites you don’t approve of.
This was recently the case for me, I had to block internet access to a Windows 10 user so I decided what a perfect time to share with you the steps that it takes. I should mention that the GPO works for Server 2016 as well as Server 2012R2. It is a user policy and it works with other browsers.
How To Restrict Internet Access Using Group Policy (GPO)
Now let’s walk through the steps to restrict internet access using group policy. I’m going to assume you already created the Organization Unit that you want to apply the policy to so we can skip that part.
If you would rather watch how this is configured, there is a video demo at the bottom of this article.
- Open up Group Policy Management Console (GPMC).
- Create a New Group Policy Object and name it Restrict Internet Access.
- Edit and navigate to: User Configuration -> Preferences -> Windows Settings -> Registry and create a New Registry Item.
- There are 4 registry items we need to create/update: ProxyEnable, ProxyServer, ProxyOverride, AutoDetect
The EnableProxy key will check the box to force the browser to use the proxy settings.
- Under the General Tab for the New Registry Properties:
- Action: Update. This will also create the reg key if it doesn’t exist.
- Hive: HKEY_CURRENT_USER
- Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- Value Name: ProxyEnable
- Value Type: REG_DWORD
- Value Data: 1
- Base: Hexadecimal
Repeat the same steps to create an additional registry item. The ProxyServer will point to the localhost, 127.0.0.1.
- Action: Update.
- Hive: HKEY_CURRENT_USER
- Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- Value Name: ProxyServer
- Value Type: REG_SZ
- Value Data: 127.0.0.1:80
The next reg key will allow you to bypass the proxy server and let you view sites. Typically, you should allow your own domain name so the users can gain access to internal links and any sub-domains if applicable.
- Action: Update.
- Hive: HKEY_CURRENT_USER
- Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- Value Name: ProxyOverride
- Value Type: REG_SZ
- Value Data: *theSysadminChannel.com; <local>
The last registry item will disable/uncheck the “Automatically Detect Settings” part.
- Action: Update. This will also create the reg key if it doesn’t exist.
- Hive: HKEY_CURRENT_USER
- Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- Value Name: AutoDetect
- Value Type: REG_DWORD
- Value Data: 0
- Base: Hexadecimal
With those 4 registry settings implemented it should look like this once it has all been added.
Testing the Restrict Internet GPO
Once you add those registry keys you can see that within Internet Explorer -> Internet Options -> Connections -> LAN Settings -> the proxy settings we applied are now set. The only problem is that anyone can come in and simply overwrite the settings. Let’s fix that!
So still within Group Policy let’s navigate to User Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer set the following.
- Disable Changing Automatic Configuration Settings: Set to Enabled
- Prevent Changing Proxy Settings: Set to Enabled
On a computer with the policy applied you will now see that the same settings are greyed out and the user is getting a proxy server isn’t responding error.
Block Internet Access with Group Policy (GPO) Video Demo
I hope this post was informative and gave you an easy to follow, step by step guide on How To Restrict Internet Access Using Group Policy (GPO).
Thanks for this great tutorial. I have one problem. Doing this seems to break Windows Update. What sites should I whitelist to permit Windows Update to function?
and now that i need to unblock it for work,how do i do that?I am stuck here and borrowing a laptop from a friend until someone hopefully answers me 🙁
What I noticed about doing this is that it saves the reg edit to the local machine on the users windows account and no amount of editing of the GP will fix it. I had to go into the registry editor at each computer where that user had logged in and manually remove or update the websites via regedit. I was then able to get back to the rest of the internet!
Hello,
Thanks for the tutorial, it was helpful. I have a problem with the website i setup in override, it opens but i can see only html of the page the css is missing. Any advice?
Hi,
Thanks for the tutorial. I have a question for the proxyoverride. The page i setup there is opening in html mode and the css is missing.
Horrible service
Appreciate the feedback. Thanks
This method don’t work on Domain GP Win 2019
Hi I use this method it work well my problem is in proxyoverde .I add website that I want to access .I add like 90 website link it work but when I add more than 90 those above 90 won’t bypassed .how to add more than 90 site on exception? Am using windows server r12
Dear I used this method it is working perfectly, but when I try to add more websites like 10-15 websites it stucks in the problem. any solution for this?
Hi Paul,
Great Tutorial! I have been asked to create a group policy to restrict student internet access to specific URLs in Chrome. Internet Explorer and Firefox will be completely blocked. Do you have tutorial to do this in Chrome?
Thank you in advance.
That most likely will need to be done at the network level (firewall).
Hi Paul,
Thank you for this amazing tutorial. It was very helpful. Now, what if I want restrict internet access to any user log on to a specific computer? should I use the steps under the Computer Configuration?
Thank you in advance.
You can use this “Proxy method” to restrict internet access to any OU that you choose to apply and allow listed sites as shown in this tutorial. It works only by workstations, there’s no GPO to restrict internet access to a specific logged user.
If you want to allow internet access and just deny some websites, I advise modifying the Windows hosts file and pushing it through a GPO.