Skip to content

cptblast/IRGtool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
IRG.psd1
IRG.psd1
 
 
IRG.psm1
IRG.psm1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

IRG (Internet Restriction GPO tools) — v1.2.0

Edge-only module to restrict user Internet access using two models:

  1. URL Allowlist — Block all, allow select Microsoft/OWA endpoints in Edge.
  2. Fixed Dead Proxy — Force proxy to 127.0.0.1:PORT with bypass list for Microsoft endpoints (WinINET + Edge).

Requires RSAT ActiveDirectory and GroupPolicy modules (Windows PowerShell 5.1+). Works on Windows Server or RSAT-equipped client workstations.

Installation

  1. Copy files to a folder (e.g., C:\Modules\IRG).
  2. Import the module:
Import-Module C:\Modules\IRG\IRG.psd1 -Force
  1. Optional: enable verbose logging during runs with -Verbose or dry-run using -Preview.

Cmdlets & Examples

Common parameters across cmdlets:

  • -UserSAM — the user's sAMAccountName (e.g., jdoe).
  • -Server — preferred AD server/DC (e.g., dc01.contoso.local).
  • -DomainFqdn — domain FQDN used for GPO cmdlets (e.g., contoso.local).
  • -SecurityGroupName — defaults to GPO-InternetRestrictedUsers.
  • -GroupOU — optional DN for creating the restricted group (defaults to the user's parent container).
  • -Preview — prints planned actions without applying changes.
  • -Verbose — detailed logs of each operation.

1) URL Allowlist (Edge)

Blocks all URLs then allows key Microsoft endpoints.

New-InternetRestrictionAllowlistGpo -UserSAM 'jdoe' `
  -TenantCloud 'CommercialOrGCC' `
  -GpoName 'Restrict Internet Except OWA - URLAllowlist' `
  -SecurityGroupName 'GPO-InternetRestrictedUsers' `
  -Server 'dc01.contoso.local' -DomainFqdn 'contoso.local' -Verbose

2) Fixed Dead Proxy (WinINET + Edge)

Sets WinINET proxy to 127.0.0.1:8080 and configures Edge fixed proxy with bypass.

New-InternetRestrictionFixedProxyGpo -UserSAM 'jdoe' `
  -ProxyPort 8080 -TenantCloud 'CommercialOrGCC' `
  -GpoName 'Restrict Internet Except OWA - FixedProxy' `
  -Server 'dc01.contoso.local' -DomainFqdn 'contoso.local' -Verbose

Add a user to the restricted group

Add-InternetRestrictedUser -UserSAM 'jdoe' `
  -SecurityGroupName 'GPO-InternetRestrictedUsers' `
  -Server 'dc01.contoso.local' -Verbose

Clear URL lists from a GPO (Edge)

Clear-InternetRestrictionUrlLists -GpoName 'Restrict Internet Except OWA - URLAllowlist' `
  -DomainFqdn 'contoso.local' -Verbose

Remove the restriction GPO and optional group

Remove-InternetRestrictionGpo -GpoName 'Restrict Internet Except OWA - FixedProxy' `
  -DomainFqdn 'contoso.local' -Server 'dc01.contoso.local' `
  -RemoveGroupName 'GPO-InternetRestrictedUsers' -Verbose

Notes & Behavior

  • All cmdlets honor -WhatIf/-Confirm via SupportsShouldProcess.
  • -Preview provides a human-friendly summary without changes.
  • GPO links target the user's parent OU if the user object resides in an OU, otherwise the domain DN.
  • Security filtering grants Apply to the restricted group and removes Authenticated Users.

Changelog

  • v1.2.0 — Removed IIS/PAC hosting; kept URL allowlist and fixed proxy models; works on Server or RSAT-equipped clients. Fixed invocation typo.
  • v1.1.0 — Edge-only; removed Chrome; server-only IIS PAC hosting; PAC URL includes port when not 443.
  • v1.0.x — Initial multi-browser implementation.

About

Internet Restriction Group tool

Topics

internet-connection user-management network-security restriction-sites restricted-access

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages