[OPLINTECH] Internet Explorer kiosk mode stumper

[Chad Neeper]

Thanks, Kevin. Good to know PWB can ignore the CTRL- keys.  ...another
piece to the puzzle falls into place.

I'm still trying to hold out hope, though. Thanks to everyone I have a few
more ideas to try. There has GOT to be a way!!!   LOL!

Chad

-- 
______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full LAN/WAN consulting services -- Specialized in libraries and schools*


On Thu, Aug 30, 2012 at 2:44 PM, Kevin Puffer <kpuffer at wcdpl.org> wrote:

> Chad
>
> I sent this to you earlier, but didn't notice that my "reply only went to
> Nathan. (trying to do too many things at the same time).
> KP
>
>
> ---------- Forwarded message ----------
> From: Kevin Puffer <kpuffer at wcdpl.org>
> Date: Thu, Aug 30, 2012 at 12:00 PM
> Subject: Re: [OPLINTECH] Internet Explorer kiosk mode stumper
> To: Nathan Rice <nrice at findlaylibrary.org>
>
>
> I feel your pain. Your quest is exactly what led me to use Public Web
> Browser for my kiosk stations (also thin clients). [
> http://www.teamsoftwaresolutions.com/ ]
> A simple ap, It's basically a shell for IE but it allows pretty granular
> control over the user interface and disables these sort of keyboard
> shortcuts. I just tried <ctl>J on one of my stations and it does nothing.
>
> I know you said no third party stuff, but at some point we all crumble.
> Sorry.
> KP
>
>
> On Thu, Aug 30, 2012 at 10:40 AM, Nathan Rice <nrice at findlaylibrary.org>wrote:
>
>> Chad, I have a very similar configuration as you. I’m running a GPO with
>> a custom user interface launching IE in kiosk mode, I am having the same
>> issues trying to disable the crtl+h and ctrl+j. I’m still running standard
>> desktop PCs for my catalog systems and my next move was to install KeyTweak
>> to disable the Ctrl key and maybe have the custom user interface launch a
>> script that opens KeyTweak then IE in kiosk mode. I also thought about
>> writing something in autohotkey but I’m not sure how much time I really
>> want to invest into this. ****
>>
>> ** **
>>
>> Unfortunately it seems that there’s no easy registry or GPO setting for
>> this one and since you’re running terminal services I’m sure this could be
>> a little more tricky when 3rd party software gets involved…  ****
>>
>> ** **
>>
>> Sincerely,****
>>
>>  ****
>>
>> Nathan Rice
>> Manager of Information Technology
>> Findlay-Hancock County Public Library
>> 206 Broadway
>> Findlay, OH 45840
>> 419-422-1712 (Library)
>> 419-424-7051 ext. 264 (Direct Line)
>> nrice at findlaylibrary.org****
>>
>>
>> Confidentiality Notice:
>> e-mail sent is generally subject to Ohio Public Records Law except as
>> otherwise provided by Ohio law or under a legal privilege.  If the reader
>> of this message is not the intended recipient, please notify us immediately
>> by replying to this message and deleting it from your computer.  Thank
>> you.  ****
>>
>> ** **
>>
>> *From:* oplintech-bounces at lists.oplin.org [mailto:
>> oplintech-bounces at lists.oplin.org] *On Behalf Of *Chad Neeper
>> *Sent:* Thursday, August 30, 2012 9:49 AM
>> *To:* OPLINTECH
>> *Subject:* [OPLINTECH] Internet Explorer kiosk mode stumper****
>>
>> ** **
>>
>> Ok, folks. I've got a stumper I can't seem to solve. I spent half of
>> yesterday getting to this point and am hoping someone here can get me
>> moving again. I'm trying to make an Internet Explorer kiosk which only
>> accesses the library's web-based catalog and nothing else. I'm using a thin
>> client to access a Windows 2008R2 server, so Deep Freeze isn't an option
>> and all of the lock-down mechanisms must be in the user profile only so as
>> to not affect other users. After the better part of the day, using nothing
>> but the tools available in Windows, I've worked around all of the failings
>> of doing this and have a nearly bullet proof browser locked to the catalog,
>> incapable of accessing any other site and which affects only the user
>> profile:
>>
>> I'm using Group Policies to enforce the following setup for the user:
>> - Locked the browser to one website only by setting the proxy server in
>> Internet Options to 127.0.0.0:91 (just a loopback address with an unused
>> port...an invalid proxy server) with an exception to bypass the proxy for
>> the catalog server. (This affects only the user, not the whole system.)
>> - Replaced the Explorer shell with Internet Explorer running in kiosk
>> mode (iexplore.exe -K)
>> - Group Policies again to prevent everything but Logout when CTRL-ALT-DEL
>> is pressed.
>> - IE as a shell in Kiosk mode works great until it is escaped by clicking
>> a link that opens a new window...which opens in regular old non-kiosk mode.
>> Fixed that by majorly austere group policies and some specific registry
>> changes via group policy preferences...effectively re-creating kiosk mode
>> the hard way, complete with no URL bar, pull-down menus, etc.
>>
>> The only thing left that I can't seem to disable via GP or registry tweak
>> is that CTRL-H and CTRL-J are still enabled. CTRL-H brings up the
>> history/favorites window. It's pretty much benign, since I'm removing
>> history and favorites, but it's a potential escape point. More devastating,
>> however, is CTRL-J. This brings up the View Downloads window...which leads
>> to Download Options...Which leads to a "Browse" button...Which SAYS that
>> the operation is cancelled due to restrictions, but actually brings up a
>> file system browse window complete with enumeration of the server's file
>> system and network...which leads to anything I feel like doing, including
>> easily launching a full Explorer desktop.
>>
>> Complete and total failure to lock down IE using available group policies
>> and GPPs, even with kiosk mode enabled. On the surface it SEEMS secure, but
>> as soon as some kid mashes the keyboard, the breach will be exposed.
>>
>> I was able to slightly limit some of the browse window by using some of
>> the Explorer Group Policies, but since Internet Explorer is the shell...ot
>> Explorer...the policies don't seem to affect it the same way.
>>
>> So what I'd like to be able to do is disable at least CTRL-J...the View
>> Downloads window, which will lock out the breach. I can supposedly remap
>> the CTRL-J and CTRL-H scan codes to NUL but that's a computer-level change
>> affecting all users. I want to keep this at the user level.
>>
>> Yes, I know:  Linux, or another browser with a better kiosk mode/plug-in.
>> But I'm trying to use available software and tools, which means Windows OS,
>> IE, and the standard tools that come with them. No third party apps. I'm
>> 99.9% of the way there and it would really stink if that last .1% turns out
>> to be this glaring breach that Microsoft overlooked in their infinite
>> wisdom of security-as-an-afterthought.
>>
>> Thoughts anyone? I'm stuck.
>>
>> Thanks,
>> Chad
>>
>> --
>> ______________________________
>> *Chad Neeper*
>> Senior Systems Engineer
>>
>> *Level 9 Networks*
>> 740-548-8070 (voice)
>> 866-214-6607 (fax)
>>
>> *Full LAN/WAN consulting services -- Specialized in libraries and schools
>> *****
>>
>> _______________________________________________
>> OPLINTECH mailing list
>> OPLINTECH at lists.oplin.org
>> http://lists.oplin.org/mailman/listinfo/oplintech
>> Search: http://oplin.org/techsearch
>>
>>
>
>
> --
>   *Kevin Puffer*
> *Systems Administrator*
>
> *Wood County District Public Library*
> *251 N. Main St. Bowling Green, OH 43402*
> *(419)** 352-5104   -  kpuffer at wcdpl.org*
>
>
>
>
>
> --
>   *Kevin Puffer*
> *Systems Administrator*
>
> *Wood County District Public Library*
> *251 N. Main St. Bowling Green, OH 43402*
> *(419)** 352-5104   -  kpuffer at wcdpl.org*
>
>
>


-- 
______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full LAN/WAN consulting services -- Specialized in libraries and schools*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20120830/74c2a0b7/attachment.html>