I want to configure Windows so that certain categories of websites are permanently inaccessible in a way that cannot be bypassed by changing DNS settings, using VPNs/proxies, accessing direct IPs, or installing alternate browsers.
I am looking for a technical, system-level solution using Windows features such as enforced DNS, firewall rules, Group Policy, AppLocker, user-account restrictions, and blocking tunneling tools. What is the correct approach to lock down DNS, prevent VPN/proxy usage, block unauthorized browser installs, and remove local admin rights so that this setup becomes effectively hardened?
This is a personal Windows device. I want to block access to specific known categories of unwanted websites using DNS filtering (such as services that classify domains into categories), combined with Windows system-level restrictions to prevent bypass. I understand no category database is 100% accurate; the goal is not perfect classification but strong practical enforcement. I want to remove local admin rights from my main account and apply DNS enforcement, firewall rules, Group Policy restrictions, AppLocker, and VPN/tunneling prevention from a separate admin account. So far, I have researched DNS-based filtering (NextDNS, CleanBrowsing, ControlD), Windows Firewall configuration, and Group Policy restrictions, but each method alone is bypassable if the user still has admin rights. I am trying to understand the correct combination of policies and restrictions that will work together once admin rights are removed.
-
Is this a personal device, or enterprise or company-owned? What sorts of websites are you trying to block? Note that if you are able to apply a setting yourself, you're also able to revoke those settings, if you're using an account with the same level of permission. So, if you're dealing with a personal device and you're trying to block yourself from visiting these sites, you're limited to 3rd party applications that break Windows networking on purpose to enforce these limits.music2myear– music2myear2025年12月03日 18:15:43 +00:00Commented 23 hours ago
-
This is a personal Windows device. I am trying to block certain categories of unwanted websites permanently. I understand that if I have admin permissions I can revert my own changes, which is why I want to remove local admin rights from my main user account and apply system-level restrictions from a separate admin account. I’m looking for the correct technical approach to enforce DNS, block tunneling/VPN tools, prevent alternate browsers, and use Group Policy, AppLocker, and firewall rules so the restrictions remain in place even after removing admin rights from the main account.Nishchay Anand 4233– Nishchay Anand 42332025年12月03日 18:18:14 +00:00Commented 23 hours ago
-
1"so that certain categories of websites" - this presupposes that a 100% accurate database of website categories exists and is ready for you to use: on the contrary: no such thing exists. Please elaborate.Dai– Dai2025年12月03日 18:20:54 +00:00Commented 23 hours ago
-
First, EDIT your question to add this information to it, as that is necessary information and all necessary information must be in the question. Second, what research have you done and what have you tried so far? This is a solved problem, as in, there's documentation on how to do this, and I know I've participated in the same question on this site going back several years.music2myear– music2myear2025年12月03日 18:20:58 +00:00Commented 23 hours ago
-
Another comment though: as in the other questions we've answered regarding this subject, technology is a poor replacement for self-control, and it feels as though you're looking for a technical solution to what is really a human problem. There are applications that offer filtering or "p*rn blocking" that hook into the networking stacks and have methods of resisting removal. I recommend that you do a web search for accountability software.music2myear– music2myear2025年12月03日 18:26:37 +00:00Commented 23 hours ago
Explore related questions
See similar questions with these tags.