How to Block Internet Access with Group Policy (GPO)

This how to will show you how to block internet access for a user, users or computer within an Active Directory Group Policy Object.  I’ve tested this on Windows 7 and Windows 10 and it works great!

There are plenty of tutorials out there detailing a way to block access is via enforcing a non-existent proxy. This method will work for some things, but the problem is not all software necessarily uses these settings to connect to the internet and doesn’t necessarily stop a determined user or bad guy.

This tutorial suggests using Windows Firewall managed through Active Directory to block all internet IP addresses in additional to enforcing a non-existent proxy.  These technologies come inbuilt with Windows.

If we didn’t do both then a proxy could exist on your network in the private IP ranges (which are allowed) and therefore have internet activity.  You can apply this group policy to individual users or whole OUs as you see fit and will work well across all devices.

Be wary though with Windows Firewall the order of rules doesn’t really matter, Block actions will take priority over Allow rules.  Hence why we are blocking all the non-private IP ranges, in other words we are blocking the entireity of IP addresses on the wider internet and not even specifying the private RFC 1918 and RFC 5735 ranges.

The Brief Version

Create a Windows Firewall policy and specify these IP address ranges in a BLOCK rule: – – – – – – –

And create a non-existent proxy too for good measure and stop users from changing this setting.

Windows Firewall GPO

Edit your Group Policy as you usually would, and pick a pertinent OU to apply your new policy:

Give it a sensible name and click ok:

And then in the screen to the right edit the GPO you’ve just created:

Next navigate to Policies – Windows Settings – Security Settings – Windows Firewall with Advanced Security – Outbound Rules:

On the panel on the right, right click and select “New Rule…”:

In the box which pops up select a “Custom Rule” and then click Next:

Leave the default as “All Programs” and click Next:

Leave the defaults as “Any” protocol and click Next:

This next screen is where we’re going to add the majority of our settings, under the “remote IP addresses” select “These IP addresses” and click “Add”:

On the next popup we’ll want to add some IP ranges, so click on “This IP Range” and enter this as the range –, just like this:

You will have to repeat the two steps above to add the following IP ranges, (the list below contains the one above by the way so you needn’t add it twice!): – – – – – – –

When you’re done with that list you should have a screen which looks like the following, if you’re happy click “Next”:

On the next screen make sure the action is highlighted as “Block” and click “Next”:

Under the profile you may want to leave all these locations ticked and then click “Next”:

Give the rule a sensible name and click “Finish”:

Internet Settings GPO

Next we will need to setup the fake proxy as per the majority of advise out there regarding such things.  You may need to download the IE admin pack first though.

Navigate through to User Configuration – Preferences – Control Panel Settings – Internet Settings, and right click on create a New setting in the right hand panel.

Then click Connections then LAN Settings:

In the box that pops up tick the “Use a proxy server for your LAN” and in the address box type in “” on port “3128”, just like this and then press Ok and Ok again to get back to the main GPO screen.

Next within our GPO go through to User Configuration – Administrative Templates – Windows Components – Internet Explorer.

On the right hand side you want to find the option which reads “Disable changing connection settings”, when you’ve found it open it up by double clicking:

Make this setting enabled and click Ok.

Close down all the GPO windows and you’re done!

2 Comments on "How to Block Internet Access with Group Policy (GPO)"

  1. Willem says:

    Thank you for this article. I am looking for a simple way to ONLY ALLOW G_MAIL in my classroom. Is it possible to adapt the GPO settings to achieve that ?

    • gyp says:

      Hi Willem,

      Horribly late reply sorry 🙁

      This would be very difficult and the only way you could do it I can think of would be to use a proper proxy to enforce gmail.

      Doing it from IPs saying that Google have many of them would allow things like Google Search and other Google services inadvertantly.

      Sorry for the bad news, but thanks for reading,


Got something to say? Go for it!