Applying outbound connection rules PER USER in Windows Firewall with Advanced Security
Solution 1
This just isn't a feature that's available. If you want to do something like this, you might look at using Microsoft TMG as an outbound proxy. It can do user/group based access to Internet resources.
Solution 2
This is doable, I just did it for my kid's computers. Just create the entries below in Task Scheduler. Note that this is not super-secure, since it doesn't account for things like multiple sessions from remote desktops, etc. That said, hopefully it will help a lot of people viewing this topic. Also, note the 30-second delay in Step 2 before the firewall is turned off for registered users. Not sure if that can be made quicker somehow, 5-10 seconds would be more than enough for my computers.
Step 1) Create a Task that turns ON the firewall when anyone logs on:
Task Scheduler -> Action -> "Create Task"
General:
Name:TurnOnWindowsFirewall
Security Options:"Run whether user is logged on or not" checked
Security Options:"Run with highest privileges" checked
Triggers: (click 'New...')
BeginTheTask:"At log on"
Settings:"Any User" checked
Advanced Settings:"Stop if task runs longer than:" checked; "30 minutes" selected
Advanced Settings:"Enabled" checked
Actions: (click 'New...')
Action:"Start a program"
Program/script:"netsh"
Add Aruments:"advfirewall set allprofiles state on"
Conditions:
Uncheck everything on this tab
Settings:
AllowOnDemand: checked
RunTaskAsSoonAsPossible: checked
IfTheTaskFails: unchecked
StopTheTaskIfItRunsLonger: checked; "1 hour" selected
IfTheRunningTaskDoesNotEndForceIt: checked
IfTheTaskIsNotSchedAgainDeleteIt: unchecked
IfTheTaskIsAlreadyRunning: "Do not start a new instance" selected
Step 2) Create a Task that turns OFF the firewall when a certain user logs on:
Task Scheduler -> Action -> "Create Task"
General:
Name:TurnOffWindowsFirewall
Security Options:"Run whether user is logged on or not" checked
Security Options:"Do not store password" checked
Security Options:"Run with highest privileges" checked
Triggers: (click 'New...')
BeginTheTask:"At log on"
Settings:"Specific User" checked (select user that should have OPEN internet access.)
Advanced Settings:"Delay task for:" checked; "30 seconds" selected
Advanced Settings:"Stop if task runs longer than:" checked; "30 minutes" selected
Advanced Settings:"Enabled" checked
Actions: (click 'New...')
Action:"Start a program"
Program/script:"netsh"
Add Aruments:"advfirewall set allprofiles state on"
Conditions:
Uncheck everything on this tab
Settings:
AllowOnDemand: checked
RunTaskAsSoonAsPossible: checked
IfTheTaskFails: unchecked
StopTheTaskIfItRunsLonger: checked; "1 hour" selected
IfTheRunningTaskDoesNotEndForceIt: checked
IfTheTaskIsNotSchedAgainDeleteIt: unchecked
IfTheTaskIsAlreadyRunning: "Do not start a new instance" selected
Good Luck!
Related videos on Youtube
Fredrik_S
Updated on September 18, 2022Comments
-
Fredrik_S over 1 year
In the latest version of the Windows Firewall, included for example in Windows Server 2008 R2, you can block incoming connections and apply this rule only for a set of users (Users Tab in the rule properties).
Why is this not possible for outbound connection rules and how can it be achieved? I need a software solution that blocks all internet access for specific users and for others not and I hope to realize this with the windows firewall.
-
Oscar over 6 yearsThis answer is right what I need just for the same purpose, very helpful, thanks.