Firewall Blocking Internet Access whilst allowing Intranet Access

Not sure if this is the right way to do it, but it works for me; hopefully it’ll be of some use to others…

I have a corporate intranet that everyone needs access to; some people are not allowed access to the internet though. You may have a similar situation at home, wanting to limit the kids to your hom network but not to the web. My solution via CIS is:

Create Network Zone “Intranet”. Add a RANGE of addresses to it; - (ie. your internal IP range)

Create Network Zone “Internet”. Add a RANGE of addresses to it; - (again, your internal IP range, same as before). Tick the Exclude box for this Zone.

Set a password in the Parental Controls section of CIS and that’s the web locked down for that PC. Simple (now I’ve figured it out; it took a while to make the mental leap…)

I would like to Prevent access to the Internet but allow Intranet (to give it a try).
I have followed this guide, but I am behind a router and it brings some confusion.

My network is as follow (it is temporary down - but one single current working machine and a router) - Router - - 3 PC & 1 print server

I created 2 Zones in my Network Zone and Use the stealth port wizard to have this 2 zones in the Global rules:
Network Zone Intranet: Range -
Network Zone Internet: Range - (exclude)

It fails (I can still connect the internet) since the router is include in both Zones

Q1. What is the correct IP range: The IP addresses of the PC’s, router excluded?

Q2. If the router IP is excluded in the Zone ranges, how can communication occurs between the PC’s? Isn’t the router is the central point to manage the LAN/WAN sides.

Edit: changing the Zone IP to - failed too. There is something I don’t do right or don’t understand. I have a remark though: When a user’s post figures in the Guide section, I would expect a Mood to edit it, including the different steps, so that anyone at any level could reproduce and experience by himself. I would not have such demand if it was a tip in the help thread. Thanks.

I’ve got it working differently now in the latest version of Comodo. Try this;

In Tasks create two Zones:

  1. Intranet -
  2. Internet: -

In Network Monitor:

  1. Allow Source IP: Zone Intranet , Destination IP: Zone Intranet
  2. Block Source IP: Zone Internet, Destination IP: Zone Internet

That works for me; looking at my previous example, I haven’t a clue how it could or would work!


The 2 zones go here: Common Tasks > My Network Zones?

What is Network Monitor: Application rules or Global rules?


I’m looking at an installation of v2.8 here; in Security there are tabs for Tasks and Network Monitor; you need to set these zones up in Tasks then allow/block in Network Monitor.

I see, quite a version gap.

If a moderator or an advanced user can edit the post to make it current with version 3.9, thanks.

Welcome to the Forum, Clum1.

To test this with 3.9, what I did was create a global firewall rule,
Block IP Out Source (the IP of this machine) Destination Exclude Zone [Home] Protocol Any.
Place this Block rule as the first block rule in the list.
Enable Password Protection with Parental Control.
This effectively blocked all access to the Internet.
Now, when I installed CIS, I said the network zone it found (, I am behind a router) was accessible to anyone in this network [Home]. This action created two rules,
Allow All Incoming requests if the Target is in [Home]
Allow All Outgoing requests if the Target is in [Home]
The end result is local network access, but NO Internet access.
Note this is machine specific, but since each machine is assigned a unique IP in your network (and this IP can be set as permanent), it effectively controls what machines have access to the Internet.