[OPLINTECH] Internet Explorer kiosk mode stumper
Nathan Rice
nrice at findlaylibrary.org
Thu Aug 30 10:40:20 EDT 2012
Chad, I have a very similar configuration as you. I'm running a GPO with
a custom user interface launching IE in kiosk mode, I am having the same
issues trying to disable the crtl+h and ctrl+j. I'm still running
standard desktop PCs for my catalog systems and my next move was to
install KeyTweak to disable the Ctrl key and maybe have the custom user
interface launch a script that opens KeyTweak then IE in kiosk mode. I
also thought about writing something in autohotkey but I'm not sure how
much time I really want to invest into this.
Unfortunately it seems that there's no easy registry or GPO setting for
this one and since you're running terminal services I'm sure this could
be a little more tricky when 3rd party software gets involved...
Sincerely,
Nathan Rice
Manager of Information Technology
Findlay-Hancock County Public Library
206 Broadway
Findlay, OH 45840
419-422-1712 (Library)
419-424-7051 ext. 264 (Direct Line)
nrice at findlaylibrary.org <mailto:nrice at findlaylibrary.org>
Confidentiality Notice:
e-mail sent is generally subject to Ohio Public Records Law except as
otherwise provided by Ohio law or under a legal privilege. If the
reader of this message is not the intended recipient, please notify us
immediately by replying to this message and deleting it from your
computer. Thank you.
From: oplintech-bounces at lists.oplin.org
[mailto:oplintech-bounces at lists.oplin.org] On Behalf Of Chad Neeper
Sent: Thursday, August 30, 2012 9:49 AM
To: OPLINTECH
Subject: [OPLINTECH] Internet Explorer kiosk mode stumper
Ok, folks. I've got a stumper I can't seem to solve. I spent half of
yesterday getting to this point and am hoping someone here can get me
moving again. I'm trying to make an Internet Explorer kiosk which only
accesses the library's web-based catalog and nothing else. I'm using a
thin client to access a Windows 2008R2 server, so Deep Freeze isn't an
option and all of the lock-down mechanisms must be in the user profile
only so as to not affect other users. After the better part of the day,
using nothing but the tools available in Windows, I've worked around all
of the failings of doing this and have a nearly bullet proof browser
locked to the catalog, incapable of accessing any other site and which
affects only the user profile:
I'm using Group Policies to enforce the following setup for the user:
- Locked the browser to one website only by setting the proxy server in
Internet Options to 127.0.0.0:91 (just a loopback address with an unused
port...an invalid proxy server) with an exception to bypass the proxy
for the catalog server. (This affects only the user, not the whole
system.)
- Replaced the Explorer shell with Internet Explorer running in kiosk
mode (iexplore.exe -K)
- Group Policies again to prevent everything but Logout when
CTRL-ALT-DEL is pressed.
- IE as a shell in Kiosk mode works great until it is escaped by
clicking a link that opens a new window...which opens in regular old
non-kiosk mode. Fixed that by majorly austere group policies and some
specific registry changes via group policy preferences...effectively
re-creating kiosk mode the hard way, complete with no URL bar, pull-down
menus, etc.
The only thing left that I can't seem to disable via GP or registry
tweak is that CTRL-H and CTRL-J are still enabled. CTRL-H brings up the
history/favorites window. It's pretty much benign, since I'm removing
history and favorites, but it's a potential escape point. More
devastating, however, is CTRL-J. This brings up the View Downloads
window...which leads to Download Options...Which leads to a "Browse"
button...Which SAYS that the operation is cancelled due to restrictions,
but actually brings up a file system browse window complete with
enumeration of the server's file system and network...which leads to
anything I feel like doing, including easily launching a full Explorer
desktop.
Complete and total failure to lock down IE using available group
policies and GPPs, even with kiosk mode enabled. On the surface it SEEMS
secure, but as soon as some kid mashes the keyboard, the breach will be
exposed.
I was able to slightly limit some of the browse window by using some of
the Explorer Group Policies, but since Internet Explorer is the
shell...ot Explorer...the policies don't seem to affect it the same way.
So what I'd like to be able to do is disable at least CTRL-J...the View
Downloads window, which will lock out the breach. I can supposedly remap
the CTRL-J and CTRL-H scan codes to NUL but that's a computer-level
change affecting all users. I want to keep this at the user level.
Yes, I know: Linux, or another browser with a better kiosk
mode/plug-in. But I'm trying to use available software and tools, which
means Windows OS, IE, and the standard tools that come with them. No
third party apps. I'm 99.9% of the way there and it would really stink
if that last .1% turns out to be this glaring breach that Microsoft
overlooked in their infinite wisdom of security-as-an-afterthought.
Thoughts anyone? I'm stuck.
Thanks,
Chad
--
______________________________
Chad Neeper
Senior Systems Engineer
Level 9 Networks
740-548-8070 (voice)
866-214-6607 (fax)
Full LAN/WAN consulting services -- Specialized in libraries and schools
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20120830/336e5855/attachment.html>
More information about the OPLINTECH
mailing list