Limit a user account to use only Internet Explorer (or Firefox) in Windows 7 Home Premium

Question

I want to lock down the computer to allow browsing the Internet only (using IE and/or Firefox) and maybe also allow them to play a video file on the computer and adjust volume control.

That is it.

I looked into parental control, but I did not find a way to disable access to things like Control Panel and such.

How do I accomplish this on Windows 7 Home Premium (which means I can not use gpedit.msc)?

Answer 1

Stackoverflow has dealt with a similar question: https://stackoverflow.com/questions/4617303/does-windows-7-have-a-kiosk-mode

You're trying to configure what is generally called "kiosk mode" in Win7.

For the browser, I'm not positive, but I believe the default application dialog first included in WinXP had the option to, along with choosing which application was to be used for specific activities, limit access to other applications of the same type.

However, you can do this relatively simply by installing IE (or FF) and creating user accounts that prevent installing any other apps. Google Chrome, because it usually installs in local user profile folders, may require more lockdown to prevent install.

UPDATE adding link with additional info: Here's an article regarding setting up Windows 7 for a kiosk-like interface lockdown: http://jaredheinrichs.com/how-to-turn-a-windows-7-pc-into-a-kiosk.html

It includes tips on how to lock down a computer to only allow certain programs to be run by regular users, such as Firefox.exe and iexplore.exe.

UPDATE adding links for windows 7 home limitations: Microsoft support site suggests replacing the shell command in the registry with internet explorer, a rather brilliant idea. This means that instead of the start menu and taskbar and desktop icons showing up when you turn the computer on or log in, you just get IE and nothing else. CTRL-ALT-DEL could still be run to open the task manager and then run explorer.exe but this page has instructions for remapping CTRL-ALT-DEL so that it no longer functions as the three-finger-salute.

These two options together will go a long way towards what you're looking for, I believe. And coupled with a proper limited user account and a settings lock program such as deep freeze (which I've heard good things about but have never used myself), should create a secure kiosk-like system using just windows 7 home.

Answer 2

If you want an internet only (kiosk) mode for a specific user account while preserving all pre-existing normal accounts - I've successfully applied the following method when family relatives visit:

1. Decide on a location for storing several small scripts. This example uses c:\users for brevity.
2. Create an admin user account - this will be reduced to a standard user account later.
3. Log into the account.
4. Download Opera internet browser. (Firefox currently lacks a full featured kiosk mode)
5. Modify Opera to suit taste.

6. Create a batch file that invokes the browser and log outs when browser is closed (e.g. internet-only.bat):

   @echo off
   start "" /wait "C:\Program Files (x86)\Opera\opera" -kioskmode -kioskwindows -nocontextmenu -nominmaxbuttons -nodownload -nomail -nomailto -nomenu -nosave -resetonexit -newprivatetab
   shutdown /l
   

7. Create a VB script snippet that will hide the "monitoring" batch file window (e.g. invisible.vbs):

   CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
   

8. Create a batch file that will act as the custom window shell and invoke the browser via the VB script hiding trick (e.g. kiosk-shell.bat):

   @echo off
   wscript "c:\users\invisible.vbs" "c:\users\internet-only.bat"
   

9. Test this behaviour by running kiosk-shell.bat.
10. (Optional) Configure Opera to add a custom URL/URI protocol (e.g. abracadabra://) that runs explorer.exe or cmd.exe if you want to tweak or alter the kiosk account from the inside. Configured via Opera->Settings->Preferences->Advanced->Programs
11. (Optional but recommended) Backup/export your Windows registry.
12. Using regedit within the kiosk user account, create a String value called Shell under HKEY_Current_User\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ and point this to the fully qualified location of the custom shell batch file you have created (e.g. kiosk-shell.bat).
    • More details: http://msdn.microsoft.com/en-us/library/ms838576%28v=winembedded.5%29.aspx
13. Using regedit within the kiosk user account, create a DisableTaskMgr DWORD under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System with a value of '1'.
    • Alternate methods described here: http://www.computerstepbystep.com/windows_task_manager_windows_7.html
14. Switch to another (presumably pre-existing) admin account and change the internet kiosk account to "Standard User" privileges.

Note. The kiosk is not perfectly secure, indeed no simple free solution for Windows is - the best approach is a Linux distro off a bootable media (such as Webconverger). Opera's Kiosk mode is better than most, but Ctrl-12 will bring up a setting dialog through which the user can breakout of the kiosk (barring other precautions such as AutoHotKey or Parental Controls whitelist; neither of which I bothered setting up as a certain degree of trust is desirable when users have physical access to the machine anyway.)

Answer 3

Yes. AppLocker can limit a user to a single application.

Answer 4

If you REALLY want to lock down a computer, Fortres 101 (SIC, that is the correct spelling) is an amazing program:

http://www.fortresgrand.com/products/f101/f101.htm (30-day trial, $60 after that).

If you do try it, but have questions, just come back and post a comment to this, and I will see it.

Answer 5

Please check Inteset Secure Lockdown they have a kiosk version for IE that does what you need. It's simple to use and inexpensive.