Managing the Internet connectivity of multiple Windows computers in a local network is a frequent administrative necessity, often driven by security requirements, mandatory maintenance periods, or simply controlling user access in scenarios such as during the conduction of examinations. Manually performing this task on dozens of machines—logging into each, navigating to network settings, and disabling/re-enabling components—is not only time-consuming and tedious but is highly susceptible to human error. Such manual efforts reduce IT efficiency and increase the risk of inconsistent network state across the organization.
To overcome these concerns, a script-based solution offers unparalleled utility. By leveraging the built-in capabilities of PowerShell, administrators can transform a manual, hour-long chore into an automated batch process. PowerShell is exceptionally effective for this task because its cmdlets (like Invoke-Command and network management tools) allow for secure, remote execution of commands across the entire domain, all while reading instructions from a centralized source like an Excel file. This automation ensures consistency, provides auditable logging of every successful or failed operation, and allows the administrator to quickly and effectively manage internet access without disrupting local network operations.
This set of scripts allows an administrator to remotely enable or disable network connectivity on multiple Windows computers by reading instructions from an Excel file.
PowerShell offers several powerful methods to remotely control Internet while maintaining local area network (LAN) communication. Below is a comparison of five primary techniques:
| Method | Description | Pros | Cons |
|---|---|---|---|
| 1. Physical Network Adapter Toggle | Disabling the entire network adapter using cmdlets like Disable-NetAdapter and Enable-NetAdapter. | Highly effective; a guaranteed internet block. Simple and uses clear commands. | Breaks all connectivity, including local network access (LAN/RDP/shares). Difficult to manage remotely once disabled. |
| 2. Default Gateway Removal/Renewal | Removing the computer's route to the router (0.0.0.0/0) using Remove-NetRoute to cut off external communication, then renewing the DHCP lease (ipconfig /renew) to restore it. | Keeps LAN communication alive (critical for remote management). Simple to script for DHCP environments. | Fails to restore connectivity if the target computer uses a static IP address. Requires a separate, more complex "Enable" command for static IPs. |
| 3. Windows Firewall (Outbound Rules) | Creating and toggling a specific outbound firewall rule to block traffic (e.g., ports 80/443) destined for outside the local subnet. | Most granular control. The most robust method, as it doesn't touch network configuration. | Requires initial remote setup (rule creation) on all targets. Slightly more complex to script than simple removal/renewal. |
| 4. DNS Client Black-holing | Changing the adapter's DNS server IP address to an invalid or non-existent address (like 127.0.0.1 or 0.0.0.0) to prevent domain name resolution. | Very easy to implement using Set-DnsClientServerAddress. Keeps LAN communication and IP configuration intact. | A technically savvy user can bypass this by navigating to websites via direct IP addresses. Requires DHCP for easy restoration. |
| 5. System-Wide Proxy Server | Configuring the computer's system-wide proxy settings (often via the registry) to point to a non-existent proxy server. | Stops most common applications (browsers, email clients) that respect system settings. | Least robust method. Easily bypassed by applications that use their own connection methods (VPNs, some games, etc.) or by user manipulation of browser settings. |
For a standard environment where workstations primarily use DHCP and the administrator's goal is to temporarily and completely disable internet access while preserving remote management capabilities (LAN access), the Default Gateway Removal and Renewal approach is highly recommended for the following reasons.
1. Simplicity: The commands (Remove-NetRoute and ipconfig /renew) are concise, fast, and easy to execute remotely via Invoke-Command.
2. Effectiveness: It effectively halts all external routing by removing the mechanism the computer uses to exit the network, ensuring a high success rate in disabling internet access.
3. Remote Access Preservation: Critically, the LAN connection remains active, allowing the administrator's script (and subsequent manual access) to continue functioning perfectly.
The solution presented here implements the the Default Gateway approach striking the optimal balance between operational effectiveness and scripting simplicity for most standard deployment scenarios.
Perform one-time mandatory setup steps on both the administrator's computer and all the target computers for this script to work.
a) Create a folder e.g. C:\AdminScripts\Toggle-Internet.
b) Download the following files into the above mentioned folder.
- Toggle-Internet.ps1
- Run-InternetToggle.bat
- Computers.xlsx
c) Install the ImportExcel PowerShell module. This is a safe and widely-used module for handling Excel files.
-
Open PowerShell as an Administrator.
-
Run the command
Install-Module \-Name ImportExcel \-Scope CurrentUserIf prompted about an "untrusted repository" (PSGallery), press Y (Yes) or A (Yes to All) to approve.
d) Repeat running the following command for all target computers to add them as trusted hosts replacing with the actual target computer name or IP address:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "<TargetComputerNameOrIP>" -Concatenate -Force
Follow the following steps to enable (must needed) PowerShell Remoting (WinRM) in each of the target computers. This is the secure, built-in Microsoft technology that allows Invoke-Command to work.
a) Log in to the target computer as an Administrator.
b) Open PowerShell as an Administrator.
c) Change current network profile to "Private" if it set to "Public" by executing the command
Set-NetConnectionProfile -Name "<NetworkName>" -NetworkCategory Private
replacing the <NetworkName> with actual name of the current network. The same can also be done user interface by opening Settings --> Network & internet --> Properties and checking "Private network". This change is required for Windows firewall exceptions to work properly allowing PowerShell remoting.
d) Run the command: Enable-PSRemoting -Force
This command will start the WinRM service, set it to start automatically, and create the necessary firewall rules.
The user account running the Run-NetworkToggle.bat script on the administrator's computer must have administrative privileges on all the target computers. Typically, this means running the script as a Domain Administrator.
-
Log in as an Administrator.
-
Open input file Computers.xlsx file using Microsoft Excel and fill the details for each target computer that needs Internet control. The details should include name of target computer in column Computer Name/IP" along with value
Enable/Disable/Skipin column Enable/Disable. Once done, save the file and close Microsoft Excel. -
Open Windows Explorer and nagigate to the folder containing files for this utility.
- Drag the file Computers.xlsx file and drop it directly onto the Run-InternetToggle.bat file.
- A command window will open, show the progress, and list any errors.
-
Check the status of each operation in the run in the Log file after the script finishes. The log file with the naming format Computers Log - 2025.10.24 09.30.00 AM.xlsx will be generated after every run and will appear in the
Logsdirectory.