Is there a way I can disable internet access for a single account an XP Pro machine? Preferable something built-in like a security policy or something.
It's not clear from your question, but I'm guessing this is a stand-alone PC?
If that's the case you may want to look at Windows Steady State. I've used it to better control access in various stand-alone PCs for very small businesses and homes.
User Configuration -> Windows Settings -> Internet Explorer Maintenance -> Connection
I believe when you change policies in 'User Configuration' they apply to the currently logged on user, so you would have to log onto the user(s) you wish to restrict.
Note that I'm not entirely sure on this, so take with a pinch of salt.
Personally, my preferred option would be:
a) Setup a bogus proxy server in your browser of choice. Proxy servers are usually stored on a per user basis, (at least in IE) and thus you can block your users with a bogus proxy. This is really easy to circumvent.
b) Install a proxying software such as freeproxy that requires users to Authenticate before they can access the internet. The benefit is you can safely use more global group policies to enforce use of a proxy, or you can use some form of autoconfiguration.
What sort of environment are we discussing here? Is this a work PC? If it's a work PC and it's being used for non work things, you should inform the users that is not acceptable - and more importantly, your workplace should have an acceptable use policy to back it up.
Right click on the user in question and select Properties
On the profile tab enter the profile path "c:\" and the logon script name "ReleaseIP.bat"
In "c:\" create a ".bat" file called "ReleaseIP.bat" with the following content:
"ipconfig /release"
In your "network connections" and your Local Area Connection be sure to uncheck "Show icon in notification area when connected" and uncheck "Notify me when this connection has limited or no connectivity" to hide the network icon.
You might have to create a network share and place the script in there depending on your computer configuration.
Unless your kid knows how to renew the IP address they'll effectively be dealing with a disabled network adapter (Assuming you only one network card.)
It depends if you have XP Home or XP Professional. The latter allows you to set a policy that would allow you to redirect any web connection to a bogus address/port i.e. the local address.
Not particularly a sysadmin answer if we're talking about a young kid (upstream proxies and whatnot are really overkill for your scenario), but Windows Live Family Safety is designed explicitly for this scenario. It is free and will let you lock down access for given users, grant them access to certain sites (they have a list of kid-friendly sites such as the Disney Channel or Nick Jr. sites), and kids can request access to sites that will be routed to your e-mail for review/approval).
It's not clear from your question, but I'm guessing this is a stand-alone PC?
If that's the case you may want to look at Windows Steady State. I've used it to better control access in various stand-alone PCs for very small businesses and homes.
The policy you're looking to change is under:
User Configuration -> Windows Settings -> Internet Explorer Maintenance -> Connection
I believe when you change policies in 'User Configuration' they apply to the currently logged on user, so you would have to log onto the user(s) you wish to restrict.
Note that I'm not entirely sure on this, so take with a pinch of salt.
Personally, my preferred option would be:
a) Setup a bogus proxy server in your browser of choice. Proxy servers are usually stored on a per user basis, (at least in IE) and thus you can block your users with a bogus proxy. This is really easy to circumvent.
b) Install a proxying software such as freeproxy that requires users to Authenticate before they can access the internet. The benefit is you can safely use more global group policies to enforce use of a proxy, or you can use some form of autoconfiguration.
What sort of environment are we discussing here? Is this a work PC? If it's a work PC and it's being used for non work things, you should inform the users that is not acceptable - and more importantly, your workplace should have an acceptable use policy to back it up.
You could also consider an upstream solution depending on what firewall you are using.
You mentioned in your comment this was for a young child. The simplest solution is just remove icons to Internet Explorer.
Remove from desktop, pre-SP3: Control Panel -> Display -> Desktop -> Customize Desktop, uncheck Internet Explorer.
Remove from Start Menu: Right click on icon, choose Remove from Menu.
Remove from Start Menu Programs Group: Right-click on Start, Explore, go into Programs, delete the icon.
You could simply write a logon script for the user account in question and release the IP.
Some basic steps if you want to punt:
You might have to create a network share and place the script in there depending on your computer configuration.
Unless your kid knows how to renew the IP address they'll effectively be dealing with a disabled network adapter (Assuming you only one network card.)
It depends if you have XP Home or XP Professional. The latter allows you to set a policy that would allow you to redirect any web connection to a bogus address/port i.e. the local address.
Not particularly a sysadmin answer if we're talking about a young kid (upstream proxies and whatnot are really overkill for your scenario), but Windows Live Family Safety is designed explicitly for this scenario. It is free and will let you lock down access for given users, grant them access to certain sites (they have a list of kid-friendly sites such as the Disney Channel or Nick Jr. sites), and kids can request access to sites that will be routed to your e-mail for review/approval).
http://download.live.com/familysafety