by ChrisH » Oct 31 03 1:59 pm
Hello,
I had a similar type of issue that I solved by using a technique I call "Policy Twinning" that applies only when when you have Authenticated users. What I do is create another identical policy for each user or group that I want to restrict. Then on this new policy add or vary the restriction to the area you want to control.
In your case, I would modify each existing user or group policy so that the Location tab, under the service you want to restrict (eg WWW proxy),specifies that the user has rights from the following included locations (127.0.0.1 and 192.168.10.* e.g. everywhere) but is excluded from 192.168.10.20 ( which is the IP of the restricted machine)
Then create a new policy with exactly same ban lists,advanced policies, authentication level, etc except that the Time tab would have the following Excluded time 12:00 AM to 6:00 AM and the Location tab would not have the Excluded address of 192.168.10.20.
WinGate will logically "OR" these two policies. So that if User A wants to use 192.168.10.20 after midnight, the first policy doesn't allow it because the IP is restricted, plus the second policy doesn't allow it because of time, so therefore access is denied. Similarily, after 6:00 AM the first policy would deny right because of IP restriction but second policy allows it, therefore access is granted. At any other machine after midnight the first policy would be valid (unless of course there is some other time restriction there) and second wouldn't apply, but access would be granted. During the day at any other machines both policies would be valid and access granted(this is why you have to have the exact same restrictions for each policy - eg ban list- or problems will occur).
If you have a great number of individual users or groups this method could be cumbersome, one could copy registry keys to save reentering extensive lists, but it seems to work.
Chris H.