[OPLINTECH] Internet Explorer kiosk mode stumper
Chad Neeper
cneeper at level9networks.com
Thu Aug 30 14:36:28 EDT 2012
Travis --
I used to use PWB too. I agree; it most likely can do most/all of what I
want. (Just for kicks, though, you might try pressing CTRL-J and/or CTRL-H
in PWB and see what happens. PWB uses IE's WebBrowser control, but the GUI
is custom. It might be fine; I don't have a copy handy so can't test it.)
However, I can entirely lock down IE to just a main browser window and
NOTHING else using group policies and a couple of registry tweaks...readily
available on every copy of windows.
I'm keen to get this solution nailed down because it's nothing more than a
set of group policies. I can export/import them and have it running within
minutes at any other library where we need a catalog-only kiosk. It would
be a no-cost/no-time solution to all of my other libraries from this point
on. ...More time then available to work on the next useful thing.
The Caveman Approach: Offline, someone else suggested cutting the traces
off the boards in the keyboards to disable the CTRL (and ALT) keys. A
pencil eraser would make that reversible. But neither translates well to
being a no-cost/no-time transferable solution I can implement at other
libraries. ...So good thought...but no.
Chad
--
______________________________
*Chad Neeper*
Senior Systems Engineer
*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)
*Full LAN/WAN consulting services -- Specialized in libraries and schools*
On Thu, Aug 30, 2012 at 1:48 PM, Travis C. McAfee <mcafeetr at oplin.org>wrote:
> At Way Public Library we use Public Web Browser which forces a sort of
> “super” kiosk mode and is very customizable. It’s not free, but I’m
> guessing it would take significantly less man-hours than GP + Registry
> Hacking + hair replacement surgery (and so, may be cheaper in the long run.)
> ****
>
> ** **
>
> There’s also the caveman approach: Have you considered blocking the ctrl
> key’s movement by placing some sort of inhibitor under the key (pencil
> eraser, perhaps)? They pop off and on easily, and would be easier to
> remove/replace than the registry hack. ****
>
> ** **
>
> Travis McAfee****
>
> Systems Administrator****
>
> Way Public Library****
>
> 101 E. Indiana Ave.****
>
> Perrysburg, OH 43551****
>
> ****
>
> Voice: (419) 874-3135 x103****
>
> Fax: (419) 874-6129****
>
> Email: mcafeetr at oplin.org****
>
> Web: http://www.waylibrary.info****
>
> ** **
>
> *From:* oplintech-bounces at lists.oplin.org [mailto:
> oplintech-bounces at lists.oplin.org] *On Behalf Of *Eric Maynard
> *Sent:* Thursday, August 30, 2012 1:32 PM
> *To:* Chad Neeper; OPLINTECH
>
> *Subject:* Re: [OPLINTECH] Internet Explorer kiosk mode stumper****
>
> ** **
>
> Chad,****
>
> ** **
>
> When I was Holmes Co. we used a locked down kiosk linux distro (
> http://webconverger.com/) that booted from CD/USB and then restarted at
> the end of each session assuming the patron click on the close button. It
> also ran on an idle timer that did the same after a set time. I understand
> that is not what you are after here, but our public stations at the State
> Library might provide what you are looking for.****
>
> ** **
>
> Here at SLO, we handle the history thing on our public PCs using mandatory
> profiles and forcing reboots at session end. A clean profile (incl.
> browsing history) is then loaded for each patron. As for the downloads, we
> have locked down C: using policy in a way that even if they get a browse
> button (and I only saw one in quick testing), then they are not able to
> browse anywhere useful in Explorer.****
>
> ** **
>
> I would be happy to share our resultant set off list if you think it would
> be helpful.****
>
> ** **
>
> -Eric****
>
> ** **
>
> *From:* oplintech-bounces at lists.oplin.org
> [mailto:oplintech-bounces at lists.oplin.org] *On Behalf Of *Chad Neeper
> *Sent:* Thursday, August 30, 2012 12:45 PM
> *To:* OPLINTECH
> *Subject:* Re: [OPLINTECH] Internet Explorer kiosk mode stumper****
>
> ** **
>
> Thanks for the response, Nathan. One of the things nagging in the back of
> my mind was if this was a problem unique to this particular environment. If
> you're having the exact same results in a similar setup, then it's not just
> me. It must be a real thing. It appears you can actually do it within GPP
> (or manually I assume) without KeyTweak by making some registry changes.
> Check this link out:
>
>
> http://www.sdmsoftware.com/group-policy-preferences/disabling-print-screen-through-group-policy/
>
> He's talking about disabling Print Screen, but the same technique should
> apply to whatever key or key combination you desire, including CTRL-H and
> CTRL-J. I haven't specifically tested it (or even very closely read the
> above link) myself, but I'm familiar with the concept of remapping the
> scancodes, which is what he's doing using the built-in tools provided by
> the OS. Used to do this occasionally in the old MS-DOS days! Still applies.
>
> I'm still looking for a solution because the scancodes changes are
> computer level policies that will affect all users. I'm really trying to
> find a user policy to accomplish this.
>
> However, this may be the only option. Not my first choice on a production
> server, though!!!
>
> If I end up going there, I'll post the exact changes I made to disable
> CTRL-H and CTRL-J using the scancodes method.
>
> Thanks,
> Chad
>
>
> --
> ______________________________
> *Chad Neeper*
> Senior Systems Engineer
>
> *Level 9 Networks*
> 740-548-8070 (voice)
> 866-214-6607 (fax)
>
> *Full LAN/WAN consulting services -- Specialized in libraries and schools*
>
> ****
>
> On Thu, Aug 30, 2012 at 10:40 AM, Nathan Rice <nrice at findlaylibrary.org>
> wrote:****
>
> Chad, I have a very similar configuration as you. I’m running a GPO with a
> custom user interface launching IE in kiosk mode, I am having the same
> issues trying to disable the crtl+h and ctrl+j. I’m still running standard
> desktop PCs for my catalog systems and my next move was to install KeyTweak
> to disable the Ctrl key and maybe have the custom user interface launch a
> script that opens KeyTweak then IE in kiosk mode. I also thought about
> writing something in autohotkey but I’m not sure how much time I really
> want to invest into this. ****
>
> ****
>
> Unfortunately it seems that there’s no easy registry or GPO setting for
> this one and since you’re running terminal services I’m sure this could be
> a little more tricky when 3rd party software gets involved… ****
>
> ****
>
> Sincerely,****
>
> ****
>
> Nathan Rice
> Manager of Information Technology
> Findlay-Hancock County Public Library
> 206 Broadway
> Findlay, OH 45840
> 419-422-1712 (Library)
> 419-424-7051 ext. 264 (Direct Line)
> nrice at findlaylibrary.org****
>
>
> Confidentiality Notice:
> e-mail sent is generally subject to Ohio Public Records Law except as
> otherwise provided by Ohio law or under a legal privilege. If the reader
> of this message is not the intended recipient, please notify us immediately
> by replying to this message and deleting it from your computer. Thank
> you. ****
>
> ****
>
> *From:* oplintech-bounces at lists.oplin.org [mailto:
> oplintech-bounces at lists.oplin.org] *On Behalf Of *Chad Neeper
> *Sent:* Thursday, August 30, 2012 9:49 AM
> *To:* OPLINTECH
> *Subject:* [OPLINTECH] Internet Explorer kiosk mode stumper****
>
> ****
>
> Ok, folks. I've got a stumper I can't seem to solve. I spent half of
> yesterday getting to this point and am hoping someone here can get me
> moving again. I'm trying to make an Internet Explorer kiosk which only
> accesses the library's web-based catalog and nothing else. I'm using a thin
> client to access a Windows 2008R2 server, so Deep Freeze isn't an option
> and all of the lock-down mechanisms must be in the user profile only so as
> to not affect other users. After the better part of the day, using nothing
> but the tools available in Windows, I've worked around all of the failings
> of doing this and have a nearly bullet proof browser locked to the catalog,
> incapable of accessing any other site and which affects only the user
> profile:****
>
>
>
> I'm using Group Policies to enforce the following setup for the user:
> - Locked the browser to one website only by setting the proxy server in
> Internet Options to 127.0.0.0:91 (just a loopback address with an unused
> port...an invalid proxy server) with an exception to bypass the proxy for
> the catalog server. (This affects only the user, not the whole system.)
> - Replaced the Explorer shell with Internet Explorer running in kiosk mode
> (iexplore.exe -K)
> - Group Policies again to prevent everything but Logout when CTRL-ALT-DEL
> is pressed.
> - IE as a shell in Kiosk mode works great until it is escaped by clicking
> a link that opens a new window...which opens in regular old non-kiosk mode.
> Fixed that by majorly austere group policies and some specific registry
> changes via group policy preferences...effectively re-creating kiosk mode
> the hard way, complete with no URL bar, pull-down menus, etc.
>
> The only thing left that I can't seem to disable via GP or registry tweak
> is that CTRL-H and CTRL-J are still enabled. CTRL-H brings up the
> history/favorites window. It's pretty much benign, since I'm removing
> history and favorites, but it's a potential escape point. More devastating,
> however, is CTRL-J. This brings up the View Downloads window...which leads
> to Download Options...Which leads to a "Browse" button...Which SAYS that
> the operation is cancelled due to restrictions, but actually brings up a
> file system browse window complete with enumeration of the server's file
> system and network...which leads to anything I feel like doing, including
> easily launching a full Explorer desktop.
>
> Complete and total failure to lock down IE using available group policies
> and GPPs, even with kiosk mode enabled. On the surface it SEEMS secure, but
> as soon as some kid mashes the keyboard, the breach will be exposed.
>
> I was able to slightly limit some of the browse window by using some of
> the Explorer Group Policies, but since Internet Explorer is the shell...ot
> Explorer...the policies don't seem to affect it the same way.
>
> So what I'd like to be able to do is disable at least CTRL-J...the View
> Downloads window, which will lock out the breach. I can supposedly remap
> the CTRL-J and CTRL-H scan codes to NUL but that's a computer-level change
> affecting all users. I want to keep this at the user level.
>
> Yes, I know: Linux, or another browser with a better kiosk mode/plug-in.
> But I'm trying to use available software and tools, which means Windows OS,
> IE, and the standard tools that come with them. No third party apps. I'm
> 99.9% of the way there and it would really stink if that last .1% turns out
> to be this glaring breach that Microsoft overlooked in their infinite
> wisdom of security-as-an-afterthought.
>
> Thoughts anyone? I'm stuck.
>
> Thanks,
> Chad
>
> --
> ______________________________
> *Chad Neeper*
> Senior Systems Engineer
>
> *Level 9 Networks*
> 740-548-8070 (voice)
> 866-214-6607 (fax)
>
> *Full LAN/WAN consulting services -- Specialized in libraries and schools*
> ****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20120830/4775664e/attachment-0001.html>
More information about the OPLINTECH
mailing list