IP Sec GPO question

[bleachlpb]

I am trying to apply an IP Security policy to a group of users using a GPO - but you can only apply IP Security policies under the computer configuration and therefore I cannot effect this change to specific users and only specific computers.

Here is the scenario: I want to restrict access to the Internet. I could just allow access to all computers by default, then create a security group (ie "DenyInternet&quot, add computer accounts to that group that I don't want to have access, then configure that group to apply a GPO that denies HTTP/HTTPS using an IP security policy. This works now.

But, because users often hop around different machines, this will not work. Its almost like Group Policy Loopback Processing - but the other way around. Instead of applying user policies based on the location of a computer account, I want to apply a computer policy based on a user account. But since the computer policies process when the computer turns on and not when a user logs on, I may have just answered my own question. But I'm hoping someone out there might have a better solution or know something that I don't.

Currently, users are restricted from the internet by way of an authentication applet which is very annoying.

Thanks,
Michael Pare

 

[bracadar]

You did answer your own question. It is easier to apply the GPO to a user in an OU than to create a group, have the users join the group, then apply the GPO to the group through security filtering. I think Microsoft blew it when they didn't allow GPOs to affect groups directly.

 

[bleachlpb]

Thanks for your quick reply. Actually, because the IP security policies are located under the computer configuration, even if I add the users I wish to not have internet access to a new OU, then link the GPO denying HTTP/HTTPS to that OU - it still doesn't work (I tried).