In Windows XP Pro, is there a way to have a limited account use a different IP address than an Administrator account? Can you do it with just one card or does it have to be done with 2 cards, and using a hardware profile? I want to keep a limited user from surfing the net, but have access to local network. I was thinking that changing their IP to an non-routable IP might be the best way.

Thanks in advance for any advice.

Bueller?

Can't you just limit the user from installing software and from running iexplore.exe or whatever other browser you have on the system?

I did a lot of research on your question. I found no way to use different IPs for different users (using the same workstation). The best solution I found was to assign a primary DNS to the user that does not allow him/her to surf the Internet. You would also have to disable the user from changing the DNS. You can set up policies in MMC that would enable you to do this.

I will continue to research the question though, and I will ask around at my college.

Can't you just limit the user from installing software and from running iexplore.exe or whatever other browser you have on the system?

The thing is that I just want the limited account to have access to my local network so that they don't surf all over the place, but I want an admin account to be able to surf outside the local network.


I did a lot of research on your question. I found no way to use different IPs for different users (using the same workstation). The best solution I found was to assign a primary DNS to the user that does not allow him/her to surf the Internet. You would also have to disable the user from changing the DNS. You can set up policies in MMC that would enable you to do this.

I will continue to research the question though, and I will ask around at my college.

Thanks a lot Navyones that's really nice of you. Please let me know what you find out.

Set up a proxy server with password. :)

Okay, I did manage to talk to my instructor about your question. He stated that it would be almost impossilble to accomplish your goal in Windows XP. Windows XP is geared towards the home user. However, it would be easy to achieve your goal using Windows 2003 Server. You can set up group policies, which restrict access to the PC. This would allow you to lock certain people out of the Internet, while allowing others free access.

Windows XP is geared towards the home user.

I think your instructor is due for some refresher courses... XP is dead-on aimed at businesses. XP Home (which is essentially a crippled version of XP Pro) is, of course, aimed at the home market.

Group policies are a good solution if the machine is part of an Active Directory domain. Esdee - if I remember correctly, you're not running a domain, right?

I'd side with seqiro on this one - set up a proxy server. OR - even easier - set a proxy server address in the profile of the restricted user... you don't even have to have a proxy server running if you don't want him getting out anyway. Check the box marked 'bypass proxy server for local addresses', and this will allow him to access any web sites on the intranet, but keep him off of the internet.

Now, of course, the problem is to set his profile so that he can't change the proxy settings within IE. I'm pretty sure this is possible, but I don't know how. Another limitation is that this blocks browser traffic, but other protocols (ftp, telnet, etc) are still open.

ANOTHER solution is to just remove the gateway address from his machine. Assuming you're running a flat subnet (not routing between subnets), removing the gateway will keep them on the local LAN only. However, I'm not sure if this is a specific profile setting, or if it will affect every user on the machine. Might be something to play with.

If it IS a global setting, another trick you can try is to put a small batch file in his startup script that modifies his routing table. Something like:

ROUTE DELETE 0.0.0.0

will just delete his default route to the gateway. He'll still be able to access anything on the local subnet, but nothing outside (including the internet). Of course if you're using multiple subnets, you may have to make a few additional adjustments.

Hopefully that'll give you a few things to try.

If he removed the gateway, wouldn't that require him to re-enter the gateway each time he wanted to use the Internet?

Yes - but this would only apply to the guy to be kept OFF of the internet. When the admin logs in, the gateway should be present.

Hmm these are great ideas. I would need to go across other subnets though. I tried limiting my own account with a bogus proxy server and selected the bypass for local network, but I could still get out to the internet. Am I missing something? I have never set up a proxy server but I would be interested in setting one up if it's not too difficult.

When you turned on the proxy option, did you have 'automatically detect settings' checked? If so, that might remove the proxy entry if it can't find the server.

Setting up a proxy server is pretty simple. MS has one called ISA (Internet Security and Acceleration server) - http://www.microsoft.com/isaserver/default.mspx

You can download a free 120 day trial copy from the above link. Full version is about $1300. Out of your budget? There are free ones out there - esp. UNIX/LINUX based products - those will probably be better than windows based (although may be a little trickier to set up).

You can also limit the types of websites you can access by using firefox.

Linky (http://tln.lib.mi.us/~amutch/pro/phoenix/proxies.htm)