allowing local network access while blocking internet access

Question

I have a networked computer that is used as a remote print/scan server (which is shared by numerous users) Is there any way I can block the machines internet access while still allowing it to connect to our local network?

edit-

Essentially, its a Windows XP machine shared between myself and 5 others in my department (a workaround to share a scanner without purchasing a network enabled scanner) VNC server is set up on the acting 'server' computer and each user is using a vnc client to access the machine. The machine has its own account and I would like to disable internet access. Is there a way I can disable all internet access from the computer itself without changing group policy settings?

Answer 1

Block default gateway in firewall

netsh advfirewall firewall add rule name="Block default gateway" dir=out action=block remoteip=192.168.0.1

is a good method because

• compared to changing the
  • default gateway address to an invalid address netsh interface ip set address name="Local Area Connection" static 192.168.0.2 255.255.0.0 0.0.0.0 it doesn't require DHCP disabling
  • DNS address to an invalid address netsh interface ip set dns "Local Area Connection" static 127.0.0.1 validate=no access without using DNS (f.e. http://74.125.224.72) is blocked too
• compared to route delete 0.0.0.0 mask 0.0.0.0 192.168.0.1 the setting is saved

Answer 2

I think the simplest way for doing this is to set wrong default gateway.

Answer 3

I tried the solution @MaciekSawicki proposes, but I couldn't get it to work. When I set the default gateway to something invalid, it was unable to connect to the network at all - even the local intranet.

Instead, I accomplished this by leaving the connection on DHCP (or valid manual config) and and setting the DNS manually. The first DNS server, I set it to an invalid IP address (192.0.0.0) and left the second one blank, so no domains will be able to be resolved to an IP address. This means that anything that explicitly uses the IP instead of a domain name will work, but all names will fail. This makes it pretty useless for end users trying to check their facebook. If you want to add an allow list of domains that users can resolve, you can put them in a hosts file. Just make sure to keep it updated if IP addresses change.

Answer 4

I believe you could do this at the router level (depending on you QOS) and put in a rule to BLOCK all traffic (outbound off LAN) for that specific server/computer IP.

That way the server can function just fine internally but the router will drop / deny all access externally.

Answer 5

The easiest way to do this by far (but anyone technical could bypass) is simply to go to internet properties and change the proxy to something non-existent.

Other than this, If you have no intranet, you could look at Windows Firewall (If this is Vista +, not sure XP supports this) and block port 80 outgoing.

Both of these methods can be countered if the machine is not locked down.

Personally, if there is no reason for users to be on this other than there programs, just completely lock it down through group policy.

Answer 6

I also think that changing the default route in your router should do the trick. However, this will not stop the router from routing, if one points to it. Changing the default route as published by the DHCP server will only remove the default route from the client computers. Anyone who adds the route manually will then gain internet access back. And removing the default route FOR THE ROUTER ITSELF might not be a good idea, as it denies access to the internet for everyone.

Another solution bight be routing based on the source IP. You could block internet access to IP addresses under x.x.x.128, allowing others. If you have a Linux-based router, such rules could easily be programmed. With a router such as those you buy at the store, this may be a bigger challenge.

Many routers may also have access permissions that can be based on IP range. Check your own router configuration. Or just go Linux !