Using a 2830 router for our office and would like to block internet access for a specific group of users.

Users do not currently need to login to the router to get internet and I don't want to change this.

Is it possible to block a Windows group from access just using my router or do I need to add a separate firewall that can achieve this?

Thanks,
Colin

Pretty sure the 2830 has no concept or AD connectivity, so you would need to install a firewall like device which does - suspect that pfsense would do the job for you.

You'd need to ensure that any 'smart' users couldn't bypass the pfsense box by changing their default gateway to the 2830. Or that you prevent all users from modifying network setting/IE proxy settings so they use what ever is forced out by the AD groups.

Thinking about it, the quick option would be to say for the AD group you don't want to have internet is to give them a duff default gateway (assuming you have a simple network) or force them to have a different proxy.pac file (assuming they don't have local machine permissions to change).

Thanks - yes, I like your suggestion about the duff proxy as it really does prevent a simple requirement becoming out of hand in terms of money and time spent.