This is another article I have written that address’s the commonly asked question on the Group Policy forum as to how you can use group policy to block or allow users to specific web site URL’s. It goes without saying that the most effective way to implement content filtering for the internet is to maintain list of sites on your proxy server/firewall in your organisation. However you might not have any proxy or firewall that can do this and this method is also not affective when a user is connected to the internet outside the corporate network.
Luckily there is an option in the Internet Explorer Maintenance group policy section that allows you to configured an allow/never list of URL’s for your users. If you are configuring this option I also suggest your also check out one of my other article How to configure AppLocker Group Policy in Windows 7 to block third-party browsers to prevent users from running non-IE browsers to get around this restriction as this is an IE only policy setting.
How to configure Internet Explorer to Allow and Block URL’s
Step 1. Edit a Group Policy Object (GPO) that applies to the users you want to configure URL blocking.
Step 2. Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security and then click on the “Security Zones and Content Ratings”
Step 3. Select “Import the current Content Ratings settings” and then click on the “Modify Settings” button
Step 4. Click on the “Approved Sites” tab
Step 5a (Black List). Type the name of the URL that you want to block in the “Allow this website” text field and then click “Never” then “OK”
Step 5b (White List). However if you are trying to maintain a white list of URL’s then type the name of the site you want to allow it the “Allow this website” text field and then click “Always” then “OK”
Note: You will probably want to add the internal domain name of your companies AD to the Allow list of as well to ensure users can access the intranet web sites. Also note that while wildcards are supported in the URL’s, but adding just the URL “*” does not work. While this would be very handy to configure a white list I will show you how to get around this restriction in further steps below.
Now we have to create a supervisor password that will be used for making any subsequent changes to the Allow/Never URL list. This password can also be used by the user (if they know it) to work around these URL restrictions. However as this password is applied by policy it will be the same password for all users so think about chancing the password often.
Step 6. Type the same password in both the “Password” and “Confirm Password” fields and type at hint in the “hint” field. You could also type something like “To get this password please contact the help desk on 5555-5555”.
By default when you enable the content advisor it will automatically block any web site that does not have a rating configured. Therefore you will want to turn this blanket restriction off in step 8 if you all you are trying to do is block specific URL’s in a black list configuration.
Step 8 (Black List). Tick “User can see websites that have no rating” then click “OK”
Note: For white list configuration leave the “User can see websites that have no rating” un-ticked so that all web sites will be blocked.
Step 9. Click OK
If you configured a black list then a user will be allowed to go to all web sites except the URL that you specifically blocked. When the user does hit a web site that is blocked they will be presented with dialogue box explaining why they are not able to visit the web site and an option to visit the site only if they know the supervisor password.
If they click Cancel nothing will happen and if they press OK they will get presented with this dialogue box.
Below is another example message that is presented when visiting a site without a rating and you have configured the policy not load sites that do not have a rating which you will see if you have configured this as a white list.
If you are using a white list configured and a users will still be able to visiting as site so long as it is ICRA3 rated and it does not report as having content that falls into any of the rating categories. Therefore this method is not 100% affective for a white list strategy but you do find your users visiting a site that is not specifically allowed then you can simply added it as a blocked URL.
If you have played with this setting and are looking for a way to remove this setting from the group policy then see my posting How to remove imported Internet Explorer Group Policy Settings
You will also find that the computer you have made these URL restrictions on will now have the supervisor password set (I assume its something about how IEM GPMC interacts with the local computer) so to Remove IE Supervisor Password just delete the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Ratings key and it will reset the Content Advisor settings back to defaults.