[OPLINTECH] Internet Explorer kiosk mode stumper
Ron Woods
woodsro at oplin.org
Thu Aug 30 16:19:29 EDT 2012
Hi there Chad, here is a thought you could try.
You can disable any hotkeys by using an AutoHotkey remapping script. Instead
of assigning a command to an AutoHotkey hotkey, you just tell it to do
nothing.
For example You could paste the following script into notepad and save it
with a .ahk extension. If you install AutoHotkey on 1 machine, you can
compile the script into an .exe file so you won't need AutoHotkey installed
on the server.
; If you don't want the kids to know there is a script running, enter this
command at the top of the script.
#NoTrayIcon
; If you only want to disable hotkeys in Internet Explorer, you need to
enter this command at the top. If you do not enter it, it will block all
hotkeys in any program.
#ifwinactive ahk_class IEFrame
; Enter every hotkey that you want disabled in AutoHotkey Syntax
; http://www.autohotkey.com/docs/Hotkeys.htm
; Run this script at startup
^a:: ; this stands for Control-a
F9:: ; this stands for F9 (caret browsing)
F10:: ; this stands for F10 (alternative to alt)
LControl:: ; this should disable all hotkeys with the left control key
RControl:: ; this should disable all hotkeys with the right control key
LAlt:: ; Same for Alt
RAlt:: ; Same for Alt
LWin:: ; Same for Winkey
RWin::
Lshift:: ; you get the picture
Rshift::
WheelUp::
WheelDown:: ; This stands for the Scroll Wheel down command
This script will only disable the Hotkeys for Internet Explorer. It will not
disable hotkeys for other windows programs. You can hide the AHK tray Icon
if you want in script and prevent users from using Task Manager to close it.
You can find more here
http://superuser.com/questions/352758/how-do-you-disable-hotkeys-in-internet
-explorer-9
This may be an easy solution to implement. Hope you get a solution figured
out.
Sincerely
Ron Woods
Computer Services Manager
St. Clairsville Public Library
740-695-2062
http://www.stclibrary.org
woodsro at oplin.org
From: oplintech-bounces at lists.oplin.org
[mailto:oplintech-bounces at lists.oplin.org] On Behalf Of Chad Neeper
Sent: Thursday, August 30, 2012 3:50 PM
To: OPLINTECH at lists.oplin.org
Subject: Re: [OPLINTECH] Internet Explorer kiosk mode stumper
Thanks, Kevin. Good to know PWB can ignore the CTRL- keys. ...another piece
to the puzzle falls into place.
I'm still trying to hold out hope, though. Thanks to everyone I have a few
more ideas to try. There has GOT to be a way!!! LOL!
Chad
--
______________________________
Chad Neeper
Senior Systems Engineer
Level 9 Networks
740-548-8070 (voice)
866-214-6607 (fax)
Full LAN/WAN consulting services -- Specialized in libraries and schools
On Thu, Aug 30, 2012 at 2:44 PM, Kevin Puffer <kpuffer at wcdpl.org> wrote:
Chad
I sent this to you earlier, but didn't notice that my "reply only went to
Nathan. (trying to do too many things at the same time).
KP
---------- Forwarded message ----------
From: Kevin Puffer <kpuffer at wcdpl.org>
Date: Thu, Aug 30, 2012 at 12:00 PM
Subject: Re: [OPLINTECH] Internet Explorer kiosk mode stumper
To: Nathan Rice <nrice at findlaylibrary.org>
I feel your pain. Your quest is exactly what led me to use Public Web
Browser for my kiosk stations (also thin clients).
[http://www.teamsoftwaresolutions.com/ ]
A simple ap, It's basically a shell for IE but it allows pretty granular
control over the user interface and disables these sort of keyboard
shortcuts. I just tried <ctl>J on one of my stations and it does nothing.
I know you said no third party stuff, but at some point we all crumble.
Sorry.
KP
On Thu, Aug 30, 2012 at 10:40 AM, Nathan Rice <nrice at findlaylibrary.org>
wrote:
Chad, I have a very similar configuration as you. I'm running a GPO with a
custom user interface launching IE in kiosk mode, I am having the same
issues trying to disable the crtl+h and ctrl+j. I'm still running standard
desktop PCs for my catalog systems and my next move was to install KeyTweak
to disable the Ctrl key and maybe have the custom user interface launch a
script that opens KeyTweak then IE in kiosk mode. I also thought about
writing something in autohotkey but I'm not sure how much time I really want
to invest into this.
Unfortunately it seems that there's no easy registry or GPO setting for this
one and since you're running terminal services I'm sure this could be a
little more tricky when 3rd party software gets involved.
Sincerely,
Nathan Rice
Manager of Information Technology
Findlay-Hancock County Public Library
206 Broadway
Findlay, OH 45840
419-422-1712 (Library)
419-424-7051 ext. 264 <tel:419-424-7051%20ext.%20264> (Direct Line)
<mailto:nrice at findlaylibrary.org> nrice at findlaylibrary.org
Confidentiality Notice:
e-mail sent is generally subject to Ohio Public Records Law except as
otherwise provided by Ohio law or under a legal privilege. If the reader of
this message is not the intended recipient, please notify us immediately by
replying to this message and deleting it from your computer. Thank you.
From: oplintech-bounces at lists.oplin.org
[mailto:oplintech-bounces at lists.oplin.org] On Behalf Of Chad Neeper
Sent: Thursday, August 30, 2012 9:49 AM
To: OPLINTECH
Subject: [OPLINTECH] Internet Explorer kiosk mode stumper
Ok, folks. I've got a stumper I can't seem to solve. I spent half of
yesterday getting to this point and am hoping someone here can get me moving
again. I'm trying to make an Internet Explorer kiosk which only accesses the
library's web-based catalog and nothing else. I'm using a thin client to
access a Windows 2008R2 server, so Deep Freeze isn't an option and all of
the lock-down mechanisms must be in the user profile only so as to not
affect other users. After the better part of the day, using nothing but the
tools available in Windows, I've worked around all of the failings of doing
this and have a nearly bullet proof browser locked to the catalog, incapable
of accessing any other site and which affects only the user profile:
I'm using Group Policies to enforce the following setup for the user:
- Locked the browser to one website only by setting the proxy server in
Internet Options to 127.0.0.0:91 (just a loopback address with an unused
port...an invalid proxy server) with an exception to bypass the proxy for
the catalog server. (This affects only the user, not the whole system.)
- Replaced the Explorer shell with Internet Explorer running in kiosk mode
(iexplore.exe -K)
- Group Policies again to prevent everything but Logout when CTRL-ALT-DEL is
pressed.
- IE as a shell in Kiosk mode works great until it is escaped by clicking a
link that opens a new window...which opens in regular old non-kiosk mode.
Fixed that by majorly austere group policies and some specific registry
changes via group policy preferences...effectively re-creating kiosk mode
the hard way, complete with no URL bar, pull-down menus, etc.
The only thing left that I can't seem to disable via GP or registry tweak is
that CTRL-H and CTRL-J are still enabled. CTRL-H brings up the
history/favorites window. It's pretty much benign, since I'm removing
history and favorites, but it's a potential escape point. More devastating,
however, is CTRL-J. This brings up the View Downloads window...which leads
to Download Options...Which leads to a "Browse" button...Which SAYS that the
operation is cancelled due to restrictions, but actually brings up a file
system browse window complete with enumeration of the server's file system
and network...which leads to anything I feel like doing, including easily
launching a full Explorer desktop.
Complete and total failure to lock down IE using available group policies
and GPPs, even with kiosk mode enabled. On the surface it SEEMS secure, but
as soon as some kid mashes the keyboard, the breach will be exposed.
I was able to slightly limit some of the browse window by using some of the
Explorer Group Policies, but since Internet Explorer is the shell...ot
Explorer...the policies don't seem to affect it the same way.
So what I'd like to be able to do is disable at least CTRL-J...the View
Downloads window, which will lock out the breach. I can supposedly remap the
CTRL-J and CTRL-H scan codes to NUL but that's a computer-level change
affecting all users. I want to keep this at the user level.
Yes, I know: Linux, or another browser with a better kiosk mode/plug-in.
But I'm trying to use available software and tools, which means Windows OS,
IE, and the standard tools that come with them. No third party apps. I'm
99.9% of the way there and it would really stink if that last .1% turns out
to be this glaring breach that Microsoft overlooked in their infinite wisdom
of security-as-an-afterthought.
Thoughts anyone? I'm stuck.
Thanks,
Chad
--
______________________________
Chad Neeper
Senior Systems Engineer
Level 9 Networks
740-548-8070 (voice)
866-214-6607 (fax)
Full LAN/WAN consulting services -- Specialized in libraries and schools
_______________________________________________
OPLINTECH mailing list
OPLINTECH at lists.oplin.org
http://lists.oplin.org/mailman/listinfo/oplintech
Search: http://oplin.org/techsearch
--
Kevin Puffer
Systems Administrator
Description: http://wcdpl.org/sites/default/files/foliage_logo.jpg
Wood County District Public Library
251 N. Main St. Bowling Green, OH 43402
(419) 352-5104 - kpuffer at wcdpl.org
--
Kevin Puffer
Systems Administrator
Description: http://wcdpl.org/sites/default/files/foliage_logo.jpg
Wood County District Public Library
251 N. Main St. Bowling Green, OH 43402
(419) 352-5104 - kpuffer at wcdpl.org
--
______________________________
Chad Neeper
Senior Systems Engineer
Level 9 Networks
740-548-8070 (voice)
866-214-6607 (fax)
Full LAN/WAN consulting services -- Specialized in libraries and schools
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20120830/0dc46271/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1792 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20120830/0dc46271/attachment-0001.jpg>
More information about the OPLINTECH
mailing list