Question : Windows Domain: how to block certain websites from select AD users only?

I have a Windows Server 2003 Domain:

Multiple servers all windows 2003....
Organized into multiple OU's....
Have existing hardware content-filter, but its all or nothing (blocks web sites)...
Clent computers all XP sp2 or 2000 sp4... (300+ computers)

How do I block certain websites from select AD users only? For example, I want to block yahoo.com/aol.com from a select group of users in one OU, but want to allow other OU users to still access these websites.

1. I have tried Group Policy... IE settings to block by "Restricted Zones" but this only shows up in their browser as "Restricted X" in IE, but still allows the websites to be viewed. I think this only blocks cookies/activex, but not sure. Also, the "Content" GP does not work.

2. I am thinking of installing ISA server 2004, however I would like you to tell me if this will solve my problem or if I have other options I should try first?

Thanks

Please note: If I were to edit DNS records and add the wrong IP to the record, then that would block all users, this is not what I want, I want to selectively filter certain users while allowing certain users.

Answer : Windows Domain: how to block certain websites from select AD users only?

iPrism appliance is about the same $ as a ISA package license (remember, you have to have the server license underneath it as well as the ISA license, as well as a good server box to run it on), and includes full 3 years of maintenance on the appliance, 3 years of daily subscription updates, software updates, etc. To get the same functionality on ISA, you still have to have some 3rd party applications for filtering by category. The iPrism gives you a tremendous amount of flexibility to use it as an invisible inline filter, a 1-legged proxy server, or with wccp redirects from a router. It integrates into AD, is exremely simple to setup and operate, and is extremely effective, and has a buch of standard reports that you can pull up any time from the web interface. It also gives you the ability to control IM, pop3 mail and downloads by file extension at the network layer. ISA does not give you this capability.

If you only want to block a few web sites, there is a simple low-tech way to do it. On your internal DNS server, simply create a new zone for example, AOL.com and put in a bogus IP address (or your own web server) for the A record for WWW.AOL.com
Users are forced to use your DNS server, and your DNS server just hands them a bogus IP for the web sites you want to block. Setup a 2nd DNS server without these bogus entries and set your "trusted" users to use it as the primary dns instead of the other one.

Random Solutions

DirXML/IM Starter kit questions

WebSphere 5.1.2 - What is the Admin Console default login and password?

How do I get the real path of my 'src' folder in Netbeans

java.lang.ClassNotFoundErr<wbr />or ClassName - Please suggest

Call Centre Solution

This system is configured to reject spoofed sender addresses

How can you configure DHCP to assign different DNS server addresses to different computers

DNS server on XP Workstations keeps changing from DC to my gateway

NIC status display in Windows XP -- Duplex Status

How to eject a tape?