[OPLINTECH] Internet Explorer kiosk mode stumper

Chad Neeper cneeper at level9networks.com
Thu Aug 30 12:44:40 EDT 2012 

Thanks for the response, Nathan. One of the things nagging in the back of
my mind was if this was a problem unique to this particular environment. If
you're having the exact same results in a similar setup, then it's not just
me. It must be a real thing. It appears you can actually do it within GPP
(or manually I assume) without KeyTweak by making some registry changes.
Check this link out:

http://www.sdmsoftware.com/group-policy-preferences/disabling-print-screen-through-group-policy/

He's talking about disabling Print Screen, but the same technique should
apply to whatever key or key combination you desire, including CTRL-H and
CTRL-J. I haven't specifically tested it (or even very closely read the
above link) myself, but I'm familiar with the concept of remapping the
scancodes, which is what he's doing using the built-in tools provided by
the OS. Used to do this occasionally in the old MS-DOS days! Still applies.

I'm still looking for a solution because the scancodes changes are computer
level policies that will affect all users. I'm really trying to find a user
policy to accomplish this.

However, this may be the only option. Not my first choice on a production
server, though!!!

If I end up going there, I'll post the exact changes I made to disable
CTRL-H and CTRL-J using the scancodes method.

Thanks,
Chad


-- 
______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full LAN/WAN consulting services -- Specialized in libraries and schools*



On Thu, Aug 30, 2012 at 10:40 AM, Nathan Rice <nrice at findlaylibrary.org>wrote:

> Chad, I have a very similar configuration as you. I’m running a GPO with a
> custom user interface launching IE in kiosk mode, I am having the same
> issues trying to disable the crtl+h and ctrl+j. I’m still running standard
> desktop PCs for my catalog systems and my next move was to install KeyTweak
> to disable the Ctrl key and maybe have the custom user interface launch a
> script that opens KeyTweak then IE in kiosk mode. I also thought about
> writing something in autohotkey but I’m not sure how much time I really
> want to invest into this. ****
>
> ** **
>
> Unfortunately it seems that there’s no easy registry or GPO setting for
> this one and since you’re running terminal services I’m sure this could be
> a little more tricky when 3rd party software gets involved…  ****
>
> ** **
>
> Sincerely,****
>
>  ****
>
> Nathan Rice
> Manager of Information Technology
> Findlay-Hancock County Public Library
> 206 Broadway
> Findlay, OH 45840
> 419-422-1712 (Library)
> 419-424-7051 ext. 264 (Direct Line)
> nrice at findlaylibrary.org****
>
>
> Confidentiality Notice:
> e-mail sent is generally subject to Ohio Public Records Law except as
> otherwise provided by Ohio law or under a legal privilege.  If the reader
> of this message is not the intended recipient, please notify us immediately
> by replying to this message and deleting it from your computer.  Thank
> you.  ****
>
> ** **
>
> *From:* oplintech-bounces at lists.oplin.org [mailto:
> oplintech-bounces at lists.oplin.org] *On Behalf Of *Chad Neeper
> *Sent:* Thursday, August 30, 2012 9:49 AM
> *To:* OPLINTECH
> *Subject:* [OPLINTECH] Internet Explorer kiosk mode stumper****
>
> ** **
>
> Ok, folks. I've got a stumper I can't seem to solve. I spent half of
> yesterday getting to this point and am hoping someone here can get me
> moving again. I'm trying to make an Internet Explorer kiosk which only
> accesses the library's web-based catalog and nothing else. I'm using a thin
> client to access a Windows 2008R2 server, so Deep Freeze isn't an option
> and all of the lock-down mechanisms must be in the user profile only so as
> to not affect other users. After the better part of the day, using nothing
> but the tools available in Windows, I've worked around all of the failings
> of doing this and have a nearly bullet proof browser locked to the catalog,
> incapable of accessing any other site and which affects only the user
> profile:
>
>
> I'm using Group Policies to enforce the following setup for the user:
> - Locked the browser to one website only by setting the proxy server in
> Internet Options to 127.0.0.0:91 (just a loopback address with an unused
> port...an invalid proxy server) with an exception to bypass the proxy for
> the catalog server. (This affects only the user, not the whole system.)
> - Replaced the Explorer shell with Internet Explorer running in kiosk mode
> (iexplore.exe -K)
> - Group Policies again to prevent everything but Logout when CTRL-ALT-DEL
> is pressed.
> - IE as a shell in Kiosk mode works great until it is escaped by clicking
> a link that opens a new window...which opens in regular old non-kiosk mode.
> Fixed that by majorly austere group policies and some specific registry
> changes via group policy preferences...effectively re-creating kiosk mode
> the hard way, complete with no URL bar, pull-down menus, etc.
>
> The only thing left that I can't seem to disable via GP or registry tweak
> is that CTRL-H and CTRL-J are still enabled. CTRL-H brings up the
> history/favorites window. It's pretty much benign, since I'm removing
> history and favorites, but it's a potential escape point. More devastating,
> however, is CTRL-J. This brings up the View Downloads window...which leads
> to Download Options...Which leads to a "Browse" button...Which SAYS that
> the operation is cancelled due to restrictions, but actually brings up a
> file system browse window complete with enumeration of the server's file
> system and network...which leads to anything I feel like doing, including
> easily launching a full Explorer desktop.
>
> Complete and total failure to lock down IE using available group policies
> and GPPs, even with kiosk mode enabled. On the surface it SEEMS secure, but
> as soon as some kid mashes the keyboard, the breach will be exposed.
>
> I was able to slightly limit some of the browse window by using some of
> the Explorer Group Policies, but since Internet Explorer is the shell...ot
> Explorer...the policies don't seem to affect it the same way.
>
> So what I'd like to be able to do is disable at least CTRL-J...the View
> Downloads window, which will lock out the breach. I can supposedly remap
> the CTRL-J and CTRL-H scan codes to NUL but that's a computer-level change
> affecting all users. I want to keep this at the user level.
>
> Yes, I know:  Linux, or another browser with a better kiosk mode/plug-in.
> But I'm trying to use available software and tools, which means Windows OS,
> IE, and the standard tools that come with them. No third party apps. I'm
> 99.9% of the way there and it would really stink if that last .1% turns out
> to be this glaring breach that Microsoft overlooked in their infinite
> wisdom of security-as-an-afterthought.
>
> Thoughts anyone? I'm stuck.
>
> Thanks,
> Chad
>
> --
> ______________________________
> *Chad Neeper*
> Senior Systems Engineer
>
> *Level 9 Networks*
> 740-548-8070 (voice)
> 866-214-6607 (fax)
>
> *Full LAN/WAN consulting services -- Specialized in libraries and schools*
> ****
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20120830/9a3a58a7/attachment-0001.html>

More information about the OPLINTECH mailing list