Block internet access for AD groups authenticated users in XG firewall

Question

Hello, 
 i want to block internet access to any user profile in XG device ( i dont want to block by IP since i still want to give internet access to other users on the same station ) 
 the two logical ways are either to create a new rule to reject wan access to user profile as source or in client list where i can deny all internet traffic 
 none of the these solutions block internet access 
 all users are imported from AD and STAS collector is installed on DC . 
 any hint what could be the solution to apply

thanks

Aditya Patel · Answer

Hi Fred atallas 
 You may two options 
 1. Create a Group for users who does not need internet access by setting Application and Web Policy set to Deny All on Group policy. 
 2. Create a Rule and select the users/group and set action of the rule to 'Deny'. 
 Kindly note, you may need to check if the traffic is not going through any other rule and position the rule on top to be sure.

lferrara · Answer

Fred atallas said: 
 Hello Aditya , 
 
 i tried both ways 1 and 2 but not seem to be applied since the user can still surf to the intranet .

Fred, 
 you cannot restrict access to Intranet unless the XG is used to manage all intra-vlan networks or is deployed in bridge mode. 
 To deny access to intranet, you need to play with your Web Server Authentication mechanisms. 
 Regards