For security reasons, normal operators are restricted from using the internet on work computers. However, there are many situations where the manager or systems administrator require internet access. Currently, this is accomplished on a per-computer basis by a hardware firewall, and users are just not permitted to use 'internet' computers without authorization.
In Windows XP, is there any way to allow or restrict internet access on a per-user basis, such that an administrator can use the internet on a computer but a normal user logged into the same computer cannot? Please note that all operators will still need full access to the local network.
Edit: Just to clarify, by 'internet' I refer to all internet access, not just web browsing.
Perhaps you can do it with an authenticating proxy server and ACLS. Check out http://www.linuxdevcenter.com/pub/a/linux/2001/08/09/authen_squid.html
You could try this: http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
Otherwise, I imagine you could just set the file permissions on the IE folder so that normal users do not have read/execute permissions. Admins should still be able to browse.
It depends on if you are trying to block all "internet" activity or if you just want to stop web browsing.
You can deploy Windows XP firewall settings through Group Policies. You could modify the group policy for the administrators with settings that allow external access and for non-administrative users, lock down the firewall settings to disallow external access.
Here's info on deploying Windows firewall settings via GPO.
Microsofts SteadyState will easily do this...and its free. Install it under the Admin account and then disable internet access for all other users. Its has a small footprint when minimal restrictions are selected.
EDIT - something else I have done 'back in the day' and I mean WAY BACK was enable ratings in IE - under the security tab I think. Then I would block all sites and set a password. IE would work, but would ask for a password for every site. I vaguely recall that, but I think its correct.
The way we did this was by manually assigning the DNS server to 127.0.0.1 and adding addresses to the host file. Admins were the only ones that could change the setting.
I implemented something similar for my church's kiosk systems by manually assigning IP addresses and not putting a default gateway or DNS entries for the network card. The kiosk user account had no access to change network settings so they were never able to go outside of the local network. This solution is workable as is if you have a single subnet. Multiple subnets behind a firewall would require persistent routes on each of the affected PCs. If an admin user logged onto the system and needed Internet access, they can quickly add the proper default gateway and DNS entries but would have to remember to remove them. It's free and doable but it is rather time-consuming and relies on the admin remembering to remove the settings before logging off.