3
1
I use Windows 10 and want to restrict a specific user from accessing any of the network resources. I only want him/her to access the local physical drives but no other network resources such as other computers in the same network. I do not even want the user to see the network resources available.
Is that possible?
Matthias Wolf
Posted 2015-09-21T08:40:41.177
Reputation: 375
3
If you have a domain you can create a Group Policy for that user. Create one OU for that user and add a new GPO for that OU.
On that GPO go to "User Configuration\Administrative Templates\Network\Network Connections" and enable/disable whatever you want for that user.
To disable explorer to show remote computers you need to Enable in "User Configuration\Administrative Templates\Windows Components\File Explorer" the elements "No Computers Near Me" and "No Entire Network".
If you don't have a domain and you have a non Windows Home version you can edit the local Group Policy for that user. So you should log in with it's user and run gpedit.msc.
Go to User Configuration\Administrative Templates\Network\Network Connections and enable/disable what you want.
To disable explorer to show remote computers you need to Enable in "User Configuration\Administrative Templates\Windows Components\File Explorer" the elements "No Computers Near Me" and "No Entire Network".
The only problem if you don't have a domain it's if the user knows how to enter gpedit.msc he could remove your restrictions.
The restrictions about not to show the computers of the network it's easy bypassed if the user writes on explorer or in the run window the direct UNC path to the resource.
If you don't have a domain and you have a Windows Home version the only way it's to use some application for Parental Control, but that's not free.
More info: https://technet.microsoft.com/en-us/library/cc732613%28v=ws.10%29.aspx
NetVicious
Posted 2015-09-21T08:40:41.177
Reputation: 450
what do you mean with "if I have a domain"? – Matthias Wolf – 2015-09-21T09:08:02.833
Also, the statement "The only problem if you don't have a domain it's if the user knows how to enter gpedit.msc he could remove your restrictions." does not seem to be correct. My "standard user" does not have permission to access the local group policy editor. – Matthias Wolf – 2015-09-21T09:09:37.770
If you don't know what domain means, you won't have one ;) Still there is a way to install the local group policy to the home version of windows. https://www.youtube.com/watch?v=oqk3vtTYfzY (haven't seen the video though, but I know that it works ;))
– A1985 – 2015-09-21T09:09:58.277I have Windows 10 Pro, and can manage local group policies. Also the local group policy access can be blocked for non admin users. Thanks, I will take a look what I can disable within Network Connections... – Matthias Wolf – 2015-09-21T09:11:40.017
I checked but there is no Setting that lets me disable network resources...?!? And also I do not see how those settings pertain to specific users or user groups??? – Matthias Wolf – 2015-09-21T09:13:11.740
Check if that user it's member of administrators or network configuration operator groups.
It can be necesary to change the rights of the user to do the configuration if you don't have a domain. You can remove that membership after the configuration. – NetVicious – 2015-09-21T11:04:07.150
@NetVicious, I already have full admin rights, and there is no setting to restrict or block local network resources or local network access for specific users. – Matthias Wolf – 2015-09-23T05:53:51.417
@MattWolf Look at the left tree of this image: https://technet.microsoft.com/en-us/library/Bb457117.f23zs05_big%28l=en-us%29.jpg
– NetVicious – 2015-09-23T10:07:29.630@NetVicious, what you point to is a restriction to access settings and properties. My question is about blocking any sort of inbound and outbound net traffic to a specific IP address and that should pertain to a specific user or user group. – Matthias Wolf – 2015-09-23T10:13:42.667
@Matt Wolf I Edited my answer and I added a new path on the GPO MMC to disable some explorer things and not allow it to show the near computers and the link for the entire network. Mind that this kind of block only don't shows it on the File Explorer, if the user knows the direct UNC path he can access to it if he has the rights to do it.
For do more restrictions you should block more and more options in explorer (run option on start menu as example), but mind me 100% security it's near impossible. Secure your remote network shares to disable access of that user should be the only way. – NetVicious – 2015-09-23T12:43:59.333
The only reliable solution would be using a group policy. You could however also try to use parental control and block specific applications. – A1985 – 2015-09-21T08:47:42.033
How can I set up group policies? – Matthias Wolf – 2015-09-21T08:56:58.910