Question : Block Internet access per AD user account on network.

Looking for a way to block individual users from Internet access from the local LAN. Can I do this within AD policies somehow or do I need to install a proxy server? I really don't want to install software if at all possible.
Basically if you plug into our LAN you have Internet access, I want to change this so unless I grant access to specific users, internet access will be denied.

Thanks for any help or suggestions

PW

Answer : Block Internet access per AD user account on network.

this will be tricky if you are not going to run a proxy server (ISA is very good at this)
if your users are dhcp and you are not going to install anything, then you could do this

Add a DNS server that can resolve internal IP addresses but that wont forward to the internet (DNSSRV1 resolves internet, dnssrv2 does not)
create a user defined DHCP class
give these users DNSSRV1 as the dns server
set all the clients you want to be allowed the internet to use the special dhcp classID
all people that connect to your network will get the basic options and will not have the ability to resolve internet addresses
Also block port 53 at the firewall except for your DNS server that forwards to the internet. This prevents them from entering their own static DNS settings.

with ISA, you could manage it by user account
with this alternative, you have to add another DNS server, and maintain clients

i am guessing you do not want to restrict them from running IE at all, since there may be intranet content

Random Solutions

Can't reconnect network drive in Vista

Hard-wire to wireless, speed questions

Vista laptop won't connect to wireless network

out of memory problem

Conversion of received signal strength .... visual basic wireless

Connection refused with RealVNC/Tight VNC

How to sniff packets from router

php 5 hosting multiple domains ucc cert