Block internet on a Windows 10 computer / unblock it with a password

Question

I'd like to block internet by default on a Windows 10 computer (connected with ethernet cable).

Temporarily, I'd like to allow internet access (by launching a script .bat, .py (Python is ok), or anything else), with a password prompt.

After a reboot, it should always return to "blocked".

How to do this with Windows built-in tools (ideally without installing any third-party software)?

Note: As suggested in a comment, is there a way to block the Ethernet adapter via command-line? Then I would pack this in a .BAT batch script, with a prompt with a password, it will be enough for my use case (limit internet to kids; if they manage to edit the script to unblock themselves, then it's a good sign they like scripting, and then they deserve internet access!)

Answer 1

Enabling or disabling the internet by enabling/disabling the network adapter is easy. Just note that the computer will also lose all network connectivity, for example for connecting to a local network printer via the network.

This requires the administrator password, so is protected as long as the kids haven't found it out (and if they did, then no limitations will work).

Using batch commands

Running the Command Prompt as administrator, you may list all the network interfaces using the following command:

netsh interface show interface

the exact adapter name is to be found under the column "Interface Name".

Once you know the name, the following commands will disable or enable the adapter:

netsh interface set interface "YOUR-ADAPTER-NAME" disable
netsh interface set interface "YOUR-ADAPTER-NAME" enable

Using PowerShell

Run "Windows PowerShell" as administrator. To list the adapters, enter:

Get-NetAdapter | format-table

You will find the adapter under the column "Name".

To disable or enable the adapter use:

Disable-NetAdapter -Name "YOUR-ADAPTER-NAME" -Confirm:$false
Enable-NetAdapter -Name "YOUR-ADAPTER-NAME" -Confirm:$false

For more information and methods, see the Microsoft Scripting blog
Enabling and Disabling Network Adapters with PowerShell.

---

You might also be interested in Windows Family Safety, which allows you to monitor and limit the activities of your kids.

Answer 2

In addition to harrymc's answer, which provides a nice way to block all network traffic, here is an easy method to keep access to your LAN (e.g. printers, NAS etc.), but to block internet access:

route delete 0.0.0.0 removes the default route from the routing table. That is, the PC still knows how to communicate with the subnet your Ethernet adapter is part of, but it doesn't know where to send packets whose destination is outside that subnet. To get connected again, just do route add 0.0.0.0 mask 0.0.0.0 aaa.bbb.ccc.ddd, where aaa.bbb.ccc.ddd is the IP address of your gateway (router).

Your password requirement is satisfied by the fact that administrative permissions are necessary to execute the route command. You can put the two commands shown above into two different batch files and create shortcuts to them on your desktop, for example. Then edit the properties of the shortcuts, hit the "Advanced ..." button and check "Run as Administrator". Each time you execute the shortcuts, Windows' UAC will pop up (unless you have disabled it or you are already Administrator) and ask for the administrator password (unless you are a member of the Administrators group).

However, please note the following:

• This may or may not work well for you, depending on whether or not that PC is configured via DHCP (using DHCP, a router can announce itself as gateway, which could override the settings you have made). I would recommend giving that PC a static IP address or use harrymc's solution.

• I can't test at the moment, but I suspect that the default route gets set again when you reboot the PC, at least if it is configured via DHCP, so your requirement "blocked after reboot" is not satisfied in the first place. You can circumvent this by having Windows execute your "disable-script" upon startup, for example via the task scheduler (but there are also other mechanisms). So harrymc's solution again might be easier.

I am solely proposing this because -as explained above- it is less radical and blocks access only to the internet, but not to your local subnet.

As a final word, there are other ideas. For example, remove the DNS server from the network configuration (once again, access to your local subnet, no access to internet, may be circumvented by DHCP), or have the firewall block traffic to the internet, but not to your local subnet (the firewall solution definitely survives reboots and can't be circumvented by DHCP).

The basic idea is always the same: All commands needed to implement that ideas require administrative permissions and can be used in CMD or Powershell scripts. So it is easy to let Windows handle the password part (via UAC).

Answer 3

Inspired by @harrymc's answer, here is what I finally use:

• Create a Task Scheduler task using the method from How to run a program as an administrator at startup on Windows 10?, to launch a .bat file that does this on startup:

  netsh interface set interface "Ethernet" disable
  

• Then if Python is installed on your machine, create a unblockinternet.py file that does this:

  import os, hashlib, getpass
  import win32com.shell.shell as shell  # required on Win10 to run with elevated privileges
  pwd = getpass.getpass().encode()
  if hashlib.sha256(pwd).hexdigest() == 'ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea': # password: blabla
      commands = 'netsh interface set interface "Ethernet" enable'
      shell.ShellExecuteEx(lpVerb='runas', lpFile='cmd.exe', lpParameters='/c '+commands)
  

  When my kids will double-click on the "unblockinternet" shortcut, a password will be prompted.

  Of course, once they'll learn Python or batch, they will be able to just copy paste the netsh ... enable ;) But for now it's ok !

  I could also encrypt the string 'netsh interface set interface "Ethernet" enable' with an encryption key derived from pwd so that this line of code is invisible in the .py file. I'll do that later.

NB: I first tried with this: run shell:common startup, open the "Startup" folder, create a new shortcut there that does netsh interface set interface "Ethernet" disable, go in the shortcut properties, and set to "Minimized" by default. But this does not work: on Windows 10, to run programs requiring elevated privileges on startup, you need to use another method such as the Task Scheduler method linked before.