Oddly, what you describe doesn’t work in recent versions of Ubuntu (tried here in 10.4 and 10.10beta). That privileges GUI you mention only puts users in or removes them from the appropriate groups. But Gnome’s Network Manager doesn’t make decisions (anymore) based on these groups, but rather on the basis of PolicyKit, for which there is currently no GUI. It’s a (reported) bug. Your process does remove the connection, but it doesn’t remove the ability of the user to set it up again. Tell me if you found differently.

Create a new user (desktop-user).

Under user privileges, make sure that access to the ethernet/wireless/modem are disabled.

Open network connections and select the connections that show. Click properties, and uncheck ‘available to all users’.

Log off, then log on to the user in question. They shouldn’t be able to connect.

Note: this disables all LAN connections.

So instead of having the -owner I took that parameter out, and still get the unable to resolve host message.

pre-up iptables -A OUTPUT -p tcp -m owner --uid-owner username -j ACCEPT

or just delete the original /etc/network/interfaces statement?

What’s pre-up do? Couldn’t find anything on it in Google.

As of yet, I haven’t been successful in getting your original DROP statement to work--and I did change the username variable.

Note: You could also disable the user’s browser permissions but this would have the negative effect of disallowing user access to locally saved web pages. You could also disallow user access to the Internet via the PC firewall such as Firestarter /etc/host/deny for outbound traffic, or at a gateway firewall if the user account was on it’s own PC.