How to restrict a single computer to access only one specific website on USG FLEX?

Zyxel_Judy

Scenario

You want to block a specific computer on your network from accessing all websites except one, while allowing all other computers on the same subnet to browse freely. This is achievable using Policy Control rules on the USG FLEX.

For this example:

• Subnet: 192.168.1.0/24 — all computers can access any website
• 192.168.1.100 (Client A) — restricted to www.zyxel.com only

Prerequisites

Step 1 — Assign a static IP to the restricted computer

Ensure the restricted computer (Client A) always uses the same IP address. You can do this by either configuring a static IP on the computer itself

Step 2 — Create address objects

Before setting up the policy rules, go to Configuration > Object > Address/GeoIP > Address and create the following address objects:

• Client_A — Host, IP address 192.168.1.100
• Allowed_Site — FQDN or Host, address www.zyxel.com
• LAN_Lower — IP range 192.168.1.1 – 192.168.1.99
• LAN_Upper — IP range 192.168.1.101 – 192.168.1.254

Configuration — Policy Control rules

Go to Configuration > Security Policy > Policy Control and add the following four rules in this exact order:

Rule	From	To	Source	Destination	Action
Rule 1	LAN1	WAN	192.168.1.100	www.zyxel.com	Allow
Rule 2	LAN1	WAN	192.168.1.1 – 192.168.1.99	Any	Allow
Rule 3	LAN1	WAN	192.168.1.101 – 192.168.1.254	Any	Allow
Rule 4	LAN1	WAN	192.168.1.0/24	Any	Deny

How this works: Rule 1 allows Client A to reach only www.zyxel.com. Rules 2 and 3 allow all other IP addresses in the subnet to access any website. Rule 4 then blocks any remaining traffic from the subnet — this catches Client A trying to reach any destination other than www.zyxel.com, since it was not matched by Rules 2 or 3. Rule order is critical; the firewall evaluates rules from top to bottom and applies the first match.