Group Policy settings that prohibit home and small office networking on your domain

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy settings that prohibit home and small office networking on your domain

Group Policy settings define the various components of the user's environment that a system administrator can manage. The following Group Policy settings are available to prohibit home and small office networking on your domain:

  • prohibit use of Internet Connection Sharing on your DNS domain network determines whether computer users with administrator accounts can enable and configure Internet Connection Sharing (ICS) on network connections on your domain.

  • prohibit use of Internet Connection Firewall on your DNS domain network determines whether computer users with administrator accounts can enable and configure Internet Connection Firewall (ICF) on network connections on your domain.

  • prohibit installation and configuration of Network Bridge on your DNS domain network determines whether computer users with administrator accounts can enable Network Bridge on your domain.

Group Policy for ICS

ICS allows a user with an administrator account to provide Internet access for a home or small office network, using one common connection as the Internet gateway, and to provide local private network services, such as name resolution and addressing. The ICS host is the only computer that is directly connected to the Internet. Multiple ICS clients simultaneously use the common (shared) Internet connection. ICS is available only on computers that have two or more network connections. Users with administrator accounts enable ICS by accessing the Advanced tab on network connections. For more information about ICS, see Connecting to the Internet in a home or small office network.

If you do not want users on your domain to be able to enable or configure ICS, apply the prohibit use of Internet Connection Sharing on your DNS domain network Group Policy setting. When you apply the prohibit use of Internet Connection Sharing on your DNS domain network Group Policy setting, users with administrator accounts cannot enable or configure ICS because the Advanced tab on network connections becomes unavailable, and the related wizard options on computers running Windows XP Professional are blocked.

Computer users with user rights are prohibited from configuring ICS, regardless of this Group Policy setting.

Group Policy for ICF

ICF allows a user with an administrator account to activate a firewall to protect the public connection of a small network or a single computer that is connected to the Internet. ICF is enabled by default only on dial-up connections. Users with administrator accounts can enable ICF on other types of connections, such as LAN and wireless connections, by accessing the Advanced tab on network connections. For more information about ICF, see Internet Connection Firewall.

If you do not want users to be able to enable or configure ICF, apply the prohibit use of Internet Connection Firewall on your DNS domain network Group Policy setting. When you apply the prohibit use of Internet Connection Firewall on your DNS domain network Group Policy setting, users with administrator accounts cannot enable or configure ICF because the Advanced tab becomes unavailable, and the related wizard options on computers running Windows XP Professional are blocked.

Computer users with user rights are prohibited from configuring ICF, regardless of this Group Policy setting.

Group Policy for Network Bridge

Network Bridge automates the configuration that is required to route traffic between multi-segment networks comprised of a single type of media or mixed media. With Network Bridge, no configuration is required, and you do not need purchase additional hardware such as routers or bridges. The Network Bridge menu command Bridge Connections is available only when two or more network adapters are present. By default, Network Bridge is disabled, but users with administrator accounts can use Bridge Connections to enable Network Bridge. For more information about Network Bridge, see Network Bridge.

If you do not want users on your domain to be able to enable or configure Network Bridge, apply the prohibit installation and configuration of Network Bridge on your DNS domain network Group Policy setting. When you apply the prohibit installation and configuration of Network Bridge on your DNS domain network Group Policy setting, users with administrator accounts cannot enable or configure Network Bridge because the Bridge Connections command is removed from the menu on network connection icons, and the related wizard options on computers running Windows XP Professional are blocked.

Computer users with user rights are prohibited from configuring Network Bridge, regardless of this Group Policy setting.

Important

The Group Policy settings for ICS and ICF are location-aware. A location-aware Group Policy setting applies only when a computer is connected to the domain that it was connected to when the setting was last refreshed. If a computer, such as a laptop computer, is connected to your domain, but the setting on the computer was last refreshed on another domain, then the Group Policy setting on your network do not apply to that computer.

For example, if ICS is enabled on a computer that is on your network, and then you apply the Group Policy setting for ICS, ICS continues to run as normal until you restart the computer or log off of the network and then log on again. The same is true if the Group Policy setting for ICS is set on your network, and then a computer on which ICS is enabled joins your network. In this case also, ICS continues to run as normal until you restart the new computer or log off of the network and then log on again. This example applies to ICF as well.

The Group Policy setting for Network Bridge works somewhat differently. If Network Bridge is enabled on a computer that is on your network, and then you apply the Group Policy setting for Network Bridge, or if the Group Policy setting for Network Bridge is set on your network, and then a computer on which Network Bridge is enabled joins your network, Network Bridge continues to exist in the Network Connections folder and to use system resources, but the functionality of Network Bridge changes. In these cases, Network Bridge continues to receive and send data over the network connections that are included in the bridge but, for security reasons, no longer forwards traffic from one network connection to another. This change is immediate; it does not require that you restart the computer or log off of the network and then log on again.

For an overview of Group Policy, see Group Policy (pre-GPMC).

Note

  • This topic applies only to product features available in the original release of Windows Server 2003.

  • Internet Connection Firewall is included only in the original releases of Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition.

  • Internet Connection Sharing and Network Bridge are not included in Windows Server 2003, Web Edition; Windows Server 2003, Datacenter Edition; and the Itanium-based versions of the original release of the Windows Server 2003 operating systems.