[OPLINTECH] Internet Explorer kiosk mode stumper

Chad Neeper cneeper at level9networks.com
Thu Aug 30 09:48:41 EDT 2012 

Ok, folks. I've got a stumper I can't seem to solve. I spent half of
yesterday getting to this point and am hoping someone here can get me
moving again. I'm trying to make an Internet Explorer kiosk which only
accesses the library's web-based catalog and nothing else. I'm using a thin
client to access a Windows 2008R2 server, so Deep Freeze isn't an option
and all of the lock-down mechanisms must be in the user profile only so as
to not affect other users. After the better part of the day, using nothing
but the tools available in Windows, I've worked around all of the failings
of doing this and have a nearly bullet proof browser locked to the catalog,
incapable of accessing any other site and which affects only the user
profile:

I'm using Group Policies to enforce the following setup for the user:
- Locked the browser to one website only by setting the proxy server in
Internet Options to 127.0.0.0:91 (just a loopback address with an unused
port...an invalid proxy server) with an exception to bypass the proxy for
the catalog server. (This affects only the user, not the whole system.)
- Replaced the Explorer shell with Internet Explorer running in kiosk mode
(iexplore.exe -K)
- Group Policies again to prevent everything but Logout when CTRL-ALT-DEL
is pressed.
- IE as a shell in Kiosk mode works great until it is escaped by clicking a
link that opens a new window...which opens in regular old non-kiosk mode.
Fixed that by majorly austere group policies and some specific registry
changes via group policy preferences...effectively re-creating kiosk mode
the hard way, complete with no URL bar, pull-down menus, etc.

The only thing left that I can't seem to disable via GP or registry tweak
is that CTRL-H and CTRL-J are still enabled. CTRL-H brings up the
history/favorites window. It's pretty much benign, since I'm removing
history and favorites, but it's a potential escape point. More devastating,
however, is CTRL-J. This brings up the View Downloads window...which leads
to Download Options...Which leads to a "Browse" button...Which SAYS that
the operation is cancelled due to restrictions, but actually brings up a
file system browse window complete with enumeration of the server's file
system and network...which leads to anything I feel like doing, including
easily launching a full Explorer desktop.

Complete and total failure to lock down IE using available group policies
and GPPs, even with kiosk mode enabled. On the surface it SEEMS secure, but
as soon as some kid mashes the keyboard, the breach will be exposed.

I was able to slightly limit some of the browse window by using some of the
Explorer Group Policies, but since Internet Explorer is the shell...ot
Explorer...the policies don't seem to affect it the same way.

So what I'd like to be able to do is disable at least CTRL-J...the View
Downloads window, which will lock out the breach. I can supposedly remap
the CTRL-J and CTRL-H scan codes to NUL but that's a computer-level change
affecting all users. I want to keep this at the user level.

Yes, I know:  Linux, or another browser with a better kiosk mode/plug-in.
But I'm trying to use available software and tools, which means Windows OS,
IE, and the standard tools that come with them. No third party apps. I'm
99.9% of the way there and it would really stink if that last .1% turns out
to be this glaring breach that Microsoft overlooked in their infinite
wisdom of security-as-an-afterthought.

Thoughts anyone? I'm stuck.

Thanks,
Chad

-- 
______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full LAN/WAN consulting services -- Specialized in libraries and schools*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20120830/93e1c900/attachment.html>

More information about the OPLINTECH mailing list