How to use Group Policy to Allow or Block URL’s



This is another article I have written that address’s the commonly asked question on the Group Policy forum as to how you can use group policy to block or allow users to specific web site URL’s. It goes without saying that the most effective way to implement content filtering for the internet is to maintain list of sites on your proxy server/firewall in your organisation. However you might not have any proxy or firewall that can do this and this method is also not affective when a user is connected to the internet outside the corporate network.

Luckily there is an option in the Internet Explorer Maintenance group policy section that allows you to configured an allow/never list of URL’s for your users. If you are configuring this option I also suggest your also check out one of my other article How to configure AppLocker Group Policy in Windows 7 to block third-party browsers to prevent users from running non-IE browsers to get around this restriction as this is an IE only policy setting.

How to configure Internet Explorer to Allow and Block URL’s

Step 1. Edit a Group Policy Object (GPO) that applies to the users you want to configure URL blocking.

Step 2. Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security and then click on the “Security Zones and Content Ratings”

image

Step 3. Select “Import the current Content Ratings settings” and then click on the “Modify Settings” button

image

Step 4. Click on the “Approved Sites” tab

image

Step 5a (Black List). Type the name of the URL that you want to block in the “Allow this website” text field and then click “Never” then “OK”

image[83]

Step 5b (White List). However if you are trying to maintain a white list of URL’s then type the name of the site you want to allow it the “Allow this website” text field and then click “Always” then “OK”

image

Note: You will probably want to add the internal domain name of your companies AD to the Allow list of as well to ensure users can access the intranet web sites. Also note that while wildcards are supported in the URL’s, but adding just the URL “*” does not work. While this would be very handy to configure a white list I will show you how to get around this restriction in further steps below.

Now we have to create a supervisor password that will be used for making any subsequent changes to the Allow/Never URL list. This password can also be used by the user (if they know it) to work around these URL restrictions. However as this password is applied by policy it will be the same password for all users so think about chancing the password often.

Step 6. Type the same password in both the “Password” and “Confirm Password” fields and type at hint in the “hint” field. You could also type something like “To get this password please contact the help desk on 5555-5555”.

image

By default when you enable the content advisor it will automatically block any web site that does not have a rating configured.  Therefore you will want to turn this blanket restriction off in step 8 if you all you are trying to do is block specific URL’s in a black list configuration.

Step 8 (Black List). Tick “User can see websites that have no rating” then click “OK”

image

Note: For white list configuration leave the “User can see websites that have no rating” un-ticked so that all web sites will be blocked.

image

Step 9. Click OK

image

Done.

If you configured a black list then a user will be allowed to go to all web sites except the URL that you specifically blocked. When the user does hit a web site that is blocked they will be presented with dialogue box explaining why they are not able to visit the web site and an option to visit the site only if they know the supervisor password.

image

If they click Cancel nothing will happen and if they press OK they will get presented with this dialogue box.

image

Below is another example message that is presented when visiting a site without a rating and you have configured the policy not load sites that do not have a rating which you will see if you have configured this as a white list.

image

If you are using a white list configured and a users will still be able to visiting as site so long as it is ICRA3 rated and it does not report as having content that falls into any of the rating categories. Therefore this method is not 100% affective for a white list strategy but you do find your users visiting a site that is not specifically allowed then you can simply added it as a blocked URL.

Related Resources:

If you have played with this setting and are looking for a way to remove this setting from the group policy then see my posting How to remove imported Internet Explorer Group Policy Settings

You will also find that the computer you have made these URL restrictions on will now have the supervisor password set (I assume its something about how IEM GPMC interacts with the local computer) so to Remove IE Supervisor Password just delete the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Ratings key and it will reset the Content Advisor settings back to defaults.

27 Comments

  1. I have done this however while the policy is on the domain and gets applied to the correct users, the settings are tied to the workstation the policy was created on. I discovered that if I removed the policy settings on the local machine, they were erased in the domain policy. In addition while the policy showed on the domain if another administrator tried to edit the policy all they got were the defaults, the list of sites I added were not there…

    Is there a way to do this that won’t tie it to a workstation/server and so that other admins can use MMCs to change it?

    • Good question… I believe this is a quirk with how it is applied so users can work around the restriction. I will let you know if i find out for sure.. .

    • Sorry to hear that it did not work… But i would refere you to this quote in the article… “It goes without saying that the most effective way to implement content filtering for the internet is to maintain list of sites on your proxy server/firewall in your organisation”

  2. Alan, all of our desktops are cookie cutter PCs (meaning they are all of the same model and the hard drives have all be imaged the same). Some managers have asked me to allow only certain websites on some of the PCs. I have been using content advisor to accomplish this. On some PCs, content advisor works perfectly and I can block/allow certain websites; however, on some PCs, content advisor does not work. When I click the enable button, nothing happens. This is very puzzling to me. Can you please tell me why on some PCs the content advisor enable button works and on some other PCs the content advisor enable button does not work. I have check group policy on a PC that works and a PC that doesn’t work, and everything looks the same … am I missing something.

  3. Hi Allan,

    Thanks for the information. That was very helpful…is there a way we can block URL with any domain (for example – Yahoo.com / Yahoo.ca / Yahoo.fr), can I add yahoo.* will it work or is there any other way we can do that, please let me know.

  4. I have applied this group policy for content filtering . the thing which is driving nuts is , its prompting password for every website , even if i check mark the “users can see websites that have no rating ” .
    I dont understand this … please help !!

    • Sorry… this would only work for Internet Explorer… in fact this option has now been removed from IE10 so it only applies to all IE Browser before IE9…. Best to implement this as a restriction on the proxy server

  5. Actually content advisor is still available in IE 10 ….. It took tons of research but I found out it is still there . You can go about it a couple of ways. You can enable through group policy editor or edit a registry key.

    Group Policy Branch: User Management – Admin Templates – Windows Components – Internet Explorer – Internet Control Panel – Control Panel

    Set Show Content Advisor to enable

    Registry Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main

    modify ShowContentAdvisor key to 1

    Once your changes are made

    1. open IE 10
    2. from top menu select Internet Options
    3 Select Content Tab
    4. Content Advisor with the option to enable and settings is available

  6. Alan, the reason this is happening on the machine you create the policy on is because the IE Maintenance section of the policy is pulling in your local machine when you hit the “Import” button – making changes when you are in there is making those changes to your computer, and then importing when you hit OK. It’s the only part of the GPMC that does this, and I’ve been hoping Microsoft would change it since I started using it back with IE5. For this reason, it’s often a good idea to always make sure you update this section of the GP from a machine that doesn’t have any non-standard IE settings configured, and I usually do a gpupdate /target:user /force before I open it, just to make sure my settings are reset.

    • Hi Chris, I have been experiencing so much difficulty with my GPMC with Internet Explorer 11. Some of my computers running IE11 on the domain are block from the internet which is great but some are not. This has been a problem for months and taking me months of searching for help. Your comment is the closest to what im having problems with. Could you explain in a bit more depth on how I can get my computer which are not pulling the GPMC to act the same way. (If you understand what I mean) Many Thanks Danny

  7. I have win server 2k8 and trying to block a particular site from gpo. I use the step :::: Step 1. Edit a Group Policy Object (GPO) that applies to the users you want to configure URL blocking.
    Step 2. Navigate to User Configuration > Policies > Windows Settings > but after this step , internet explorer maintenance is not showing up…pls help me

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>