[OPLINTECH] Internet Explorer kiosk mode stumper

Chad Neeper cneeper at level9networks.com
Thu Aug 30 16:42:32 EDT 2012


Now this looks particularly interesting. One potential problem is that if I
compile the script into an executable, 1) will that exe run without
Explorer as the shell since *iexplore.exe* is the shell   and 2) *how* do I
run it with iexplore.exe as the shell.

For #2, perhaps as a login script. I don't think I can put it in the normal
auto-start channels like Startup group or Run registry key, since those are
dependent upon the explorer shell, I think.

It has potential, though. Although it's a 3rd party program, it's open
source and you said I don't need to actually install it on the server...

Thanks, Ron!
Chad

-- 
______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full LAN/WAN consulting services -- Specialized in libraries and schools*


On Thu, Aug 30, 2012 at 4:19 PM, Ron Woods <woodsro at oplin.org> wrote:

> Hi there Chad, here is a thought you could try.****
>
> ** **
>
> ** **
>
> You can disable any hotkeys by using an AutoHotkey remapping script.
> Instead of assigning a command to an AutoHotkey hotkey, you just tell it to
> do nothing.****
>
> ** **
>
> For example You could paste the following script into notepad and save it
> with a .ahk extension. If you install AutoHotkey on 1 machine, you can
> compile the script into an .exe file so you won’t need AutoHotkey installed
> on the server.****
>
> ** **
>
> ** **
>
> ; If you don't want the kids to know there is a script running, enter this
> command at the top of the script.****
>
> #NoTrayIcon****
>
> ** **
>
> ; If you only want to disable hotkeys in Internet Explorer, you need to
> enter this command at the top. If you do not enter it, it will block all
> hotkeys in any program.****
>
> #ifwinactive ahk_class IEFrame****
>
> ** **
>
> ; Enter every hotkey that you want disabled in AutoHotkey Syntax****
>
> ; http://www.autohotkey.com/docs/Hotkeys.htm****
>
> ; Run this script at startup****
>
> ** **
>
> ^a:: ; this stands for Control-a****
>
> F9:: ; this stands for F9 (caret browsing)****
>
> F10:: ; this stands for F10 (alternative to alt)****
>
> LControl:: ; this should disable all hotkeys with the left control key ***
> *
>
> RControl:: ; this should disable all hotkeys with the right control key***
> *
>
> LAlt:: ; Same for Alt****
>
> RAlt:: ; Same for Alt****
>
> LWin:: ; Same for Winkey****
>
> RWin::****
>
> Lshift:: ; you get the picture****
>
> Rshift::****
>
> WheelUp::****
>
> WheelDown:: ; This stands for the Scroll Wheel down command****
>
> ** **
>
> ** **
>
> ** **
>
> This script will only disable the Hotkeys for Internet Explorer. It will
> not disable hotkeys for other windows programs. You can hide the AHK tray
> Icon if you want in script and prevent users from using Task Manager to
> close it.****
>
> ** **
>
> You can find more here****
>
> ** **
>
>
> http://superuser.com/questions/352758/how-do-you-disable-hotkeys-in-internet-explorer-9
> ****
>
> ** **
>
> This may be an easy solution to implement. Hope you get a solution figured
> out.****
>
> ** **
>
> Sincerely****
>
> ** **
>
> ** **
>
> Ron Woods****
>
> Computer Services Manager****
>
> St. Clairsville Public Library****
>
> 740-695-2062****
>
> http://www.stclibrary.org****
>
> woodsro at oplin.org****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> *From:* oplintech-bounces at lists.oplin.org [mailto:
> oplintech-bounces at lists.oplin.org] *On Behalf Of *Chad Neeper
> *Sent:* Thursday, August 30, 2012 3:50 PM
> *To:* OPLINTECH at lists.oplin.org
>
> *Subject:* Re: [OPLINTECH] Internet Explorer kiosk mode stumper****
>
> ** **
>
> Thanks, Kevin. Good to know PWB can ignore the CTRL- keys.  ...another
> piece to the puzzle falls into place.
>
> I'm still trying to hold out hope, though. Thanks to everyone I have a few
> more ideas to try. There has GOT to be a way!!!   LOL!
>
> Chad
>
> --
> ______________________________
> *Chad Neeper*
> Senior Systems Engineer
>
> *Level 9 Networks*
> 740-548-8070 (voice)
> 866-214-6607 (fax)
>
> *Full LAN/WAN consulting services -- Specialized in libraries and schools*
> ****
>
> On Thu, Aug 30, 2012 at 2:44 PM, Kevin Puffer <kpuffer at wcdpl.org> wrote:**
> **
>
> Chad****
>
> ** **
>
> I sent this to you earlier, but didn't notice that my "reply only went to
> Nathan. (trying to do too many things at the same time).****
>
> KP****
>
> ** **
>
> ---------- Forwarded message ----------
> From: *Kevin Puffer* <kpuffer at wcdpl.org>
> Date: Thu, Aug 30, 2012 at 12:00 PM
> Subject: Re: [OPLINTECH] Internet Explorer kiosk mode stumper
> To: Nathan Rice <nrice at findlaylibrary.org>
>
>
> I feel your pain. Your quest is exactly what led me to use Public Web
> Browser for my kiosk stations (also thin clients). [
> http://www.teamsoftwaresolutions.com/ ]
> A simple ap, It's basically a shell for IE but it allows pretty granular
> control over the user interface and disables these sort of keyboard
> shortcuts. I just tried <ctl>J on one of my stations and it does nothing.
> ****
>
> ** **
>
> I know you said no third party stuff, but at some point we all crumble. **
> **
>
> Sorry.****
>
> KP****
>
> ** **
>
> On Thu, Aug 30, 2012 at 10:40 AM, Nathan Rice <nrice at findlaylibrary.org>
> wrote:****
>
> Chad, I have a very similar configuration as you. I’m running a GPO with a
> custom user interface launching IE in kiosk mode, I am having the same
> issues trying to disable the crtl+h and ctrl+j. I’m still running standard
> desktop PCs for my catalog systems and my next move was to install KeyTweak
> to disable the Ctrl key and maybe have the custom user interface launch a
> script that opens KeyTweak then IE in kiosk mode. I also thought about
> writing something in autohotkey but I’m not sure how much time I really
> want to invest into this. ****
>
>  ****
>
> Unfortunately it seems that there’s no easy registry or GPO setting for
> this one and since you’re running terminal services I’m sure this could be
> a little more tricky when 3rd party software gets involved…  ****
>
>  ****
>
> Sincerely,****
>
>  ****
>
> Nathan Rice
> Manager of Information Technology
> Findlay-Hancock County Public Library
> 206 Broadway
> Findlay, OH 45840
> 419-422-1712 (Library)
> 419-424-7051 ext. 264 (Direct Line)
> nrice at findlaylibrary.org****
>
>
> Confidentiality Notice:
> e-mail sent is generally subject to Ohio Public Records Law except as
> otherwise provided by Ohio law or under a legal privilege.  If the reader
> of this message is not the intended recipient, please notify us immediately
> by replying to this message and deleting it from your computer.  Thank
> you.  ****
>
>  ****
>
> *From:* oplintech-bounces at lists.oplin.org [mailto:
> oplintech-bounces at lists.oplin.org] *On Behalf Of *Chad Neeper
> *Sent:* Thursday, August 30, 2012 9:49 AM
> *To:* OPLINTECH
> *Subject:* [OPLINTECH] Internet Explorer kiosk mode stumper****
>
>  ****
>
> Ok, folks. I've got a stumper I can't seem to solve. I spent half of
> yesterday getting to this point and am hoping someone here can get me
> moving again. I'm trying to make an Internet Explorer kiosk which only
> accesses the library's web-based catalog and nothing else. I'm using a thin
> client to access a Windows 2008R2 server, so Deep Freeze isn't an option
> and all of the lock-down mechanisms must be in the user profile only so as
> to not affect other users. After the better part of the day, using nothing
> but the tools available in Windows, I've worked around all of the failings
> of doing this and have a nearly bullet proof browser locked to the catalog,
> incapable of accessing any other site and which affects only the user
> profile:
>
> I'm using Group Policies to enforce the following setup for the user:
> - Locked the browser to one website only by setting the proxy server in
> Internet Options to 127.0.0.0:91 (just a loopback address with an unused
> port...an invalid proxy server) with an exception to bypass the proxy for
> the catalog server. (This affects only the user, not the whole system.)
> - Replaced the Explorer shell with Internet Explorer running in kiosk mode
> (iexplore.exe -K)
> - Group Policies again to prevent everything but Logout when CTRL-ALT-DEL
> is pressed.
> - IE as a shell in Kiosk mode works great until it is escaped by clicking
> a link that opens a new window...which opens in regular old non-kiosk mode.
> Fixed that by majorly austere group policies and some specific registry
> changes via group policy preferences...effectively re-creating kiosk mode
> the hard way, complete with no URL bar, pull-down menus, etc.
>
> The only thing left that I can't seem to disable via GP or registry tweak
> is that CTRL-H and CTRL-J are still enabled. CTRL-H brings up the
> history/favorites window. It's pretty much benign, since I'm removing
> history and favorites, but it's a potential escape point. More devastating,
> however, is CTRL-J. This brings up the View Downloads window...which leads
> to Download Options...Which leads to a "Browse" button...Which SAYS that
> the operation is cancelled due to restrictions, but actually brings up a
> file system browse window complete with enumeration of the server's file
> system and network...which leads to anything I feel like doing, including
> easily launching a full Explorer desktop.
>
> Complete and total failure to lock down IE using available group policies
> and GPPs, even with kiosk mode enabled. On the surface it SEEMS secure, but
> as soon as some kid mashes the keyboard, the breach will be exposed.
>
> I was able to slightly limit some of the browse window by using some of
> the Explorer Group Policies, but since Internet Explorer is the shell...ot
> Explorer...the policies don't seem to affect it the same way.
>
> So what I'd like to be able to do is disable at least CTRL-J...the View
> Downloads window, which will lock out the breach. I can supposedly remap
> the CTRL-J and CTRL-H scan codes to NUL but that's a computer-level change
> affecting all users. I want to keep this at the user level.
>
> Yes, I know:  Linux, or another browser with a better kiosk mode/plug-in.
> But I'm trying to use available software and tools, which means Windows OS,
> IE, and the standard tools that come with them. No third party apps. I'm
> 99.9% of the way there and it would really stink if that last .1% turns out
> to be this glaring breach that Microsoft overlooked in their infinite
> wisdom of security-as-an-afterthought.
>
> Thoughts anyone? I'm stuck.
>
> Thanks,
> Chad
>
> --
> ______________________________
> *Chad Neeper*
> Senior Systems Engineer
>
> *Level 9 Networks*
> 740-548-8070 (voice)
> 866-214-6607 (fax)
>
> *Full LAN/WAN consulting services -- Specialized in libraries and schools*
> ****
>
> ** **
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch****
>
>
>
> ****
>
> ** **
>
> -- ****
>
>   *Kevin Puffer*
> *Systems Administrator*
> [image: Description: http://wcdpl.org/sites/default/files/foliage_logo.jpg]
>
> *Wood County District Public Library*
> *251 N. Main St. Bowling Green, OH 43402*
> *(419) 352-5104   -  kpuffer at wcdpl.org*****
>
> ** **
>
>
>
> ****
>
> ** **
>
> -- ****
>
>   *Kevin Puffer*
> *Systems Administrator*
> [image: Description: http://wcdpl.org/sites/default/files/foliage_logo.jpg]
>
> *Wood County District Public Library*
> *251 N. Main St. Bowling Green, OH 43402*
> *(419) 352-5104   -  kpuffer at wcdpl.org*****
>
> ** **
>
>
>
>
> --
> ______________________________
> *Chad Neeper*
> Senior Systems Engineer
>
> *Level 9 Networks*
> 740-548-8070 (voice)
> 866-214-6607 (fax)
>
> *Full LAN/WAN consulting services -- Specialized in libraries and schools*
> ****
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20120830/c5485949/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1792 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20120830/c5485949/attachment-0001.jpg>


More information about the OPLINTECH mailing list