Many organizations such as businesses, universities, and schools buy a web security appliance to monitor Internet usage as well as block websites that are objectionable to the organization such as adult websites, social networking sites, video game sites, and blogs. However, the default behavior in Windows and Internet Explorer allows users to bypass any Internet monitoring. Thankfully, there is an easy way to prevent that with a Windows Group Policy.
Active Directory GPO Change to Prevent Users From Changing Proxy Settings in IE
In order to make sure users can't change the proxy settings in Internet Explorer, you will need to go change your Active Directory Group Policy to forbid any changes. Do this only after you've configured web access via the GPO. Go to User Configuration, then choose Administrative Templates->Windows Components->Internet Explorer. After that, change the option for "Disable changing proxy settings" to enable. Once this change is made effective, users will not be able to change their proxy setting in Internet Explorer.
As an Administrator, you might want to exempt administrative accounts from this rule. For example, there may be a need to see if web traffic not going through the proxy acts differently for debugging purposes. To do that, include a "BUILTIN\Administrators - Deny Apply Group Policy" permission to the GPO. This setting will also apply to those in Administrator groups such as Domain Admins and Enterprise Admins. It's also possible to create a separate group and add individual users who are exempt from the policy as well.
If you ever need to make an exception to a user who cannot connect to the domain to fetch the updated GPO, then you will need to give the local Administrator account password to the user so that they can change the GPO settings themselves by running gpedit.msc or by editing the registry directly. This could happen to a laptop user who uses an Internet connection where encrypted VPN connections are not allowed.
Disable Installation of Programs in Windows
It is highly recommended that system administrators disable the ability for users to install programs. Even though users won't be able to change their proxy settings in Internet Explorer, they can use a web browser that doesn't use the Windows proxy settings such as Opera and Firefox. This will also prevent users from installing programs forbidden by site policy such as video games as well.
After all of these steps have been configured, users will no longer be able to bypass your web appliance without using some sort of mobile device. Since mobile devices capable of browsing the Internet are becoming increasingly ubiquitous, organizations need to note the limited benefits of blocking web access since most users have a cell phone. In the end, it may be next to impossible to keep employees off of Facebook during work hours.
