I'm currently configuring a Kiosk machine using "IExplore.exe -K" as a replacement shell, everything is working fine.
Unfortunately you can still kill the IExplore.exe session by hitting Alt-F4. This just leaves a blank, black screen.
Is there any way to ensure IExplore.exe restarts if closed?
I've considered writing a Powershell script to run as a service or scheduled task to just check if it's running and restart it if it's not, any other ideas?
Warning:
The instructions below contain steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly.
Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.
For more information see How to back up and restore the registry in Windows.
Finally, Alt+F4 or Ctrl+W would close the Kiosk-mode window.
You can lock down these subversive key combinations using restrictions in the Registry:
- Launch RegEdit from the Start menu's Run dialog;
- Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Internet Explorer\RestrictionsFind or create each of the following DWORD values, setting its data to 1 to enable the restriction:
-
NoBrowserClose(disables closing the browser window)-
NoBrowserContextMenu(disables right-click context menu)-
NoFileOpen(disables use of Ctrl+O or Ctrl+L to launch an arbitrary URL)-
NoOpenInNewWnd(disables opening a link in a new window via Ctrl+N or Shift-click)A user who attempts one of these restricted actions will get a warning stating "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." You may need to restart the computer to make it recognize changes in these values.
Of course users can still enter Ctrl+Alt+Del to bring up Task Manager and end the process.
Source Internet Explorer's Kiosk Mode
Note:
Another source Building a Windows 7 Kiosk in 10 minutes says the key to add is HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions
I have recently setup Kiosk Mode for local libraries using
UserConf\Administrative Templates\System\Custom User Interface Pointing to "C:\Program Files\Internet Explorer\iexplore.exe"
Along with some other lockdown policies (No taskmanager, disk access, removable devices etc)
I did not use the -k (kiosk switch) as I found opening PDF etc would also run in Full screen Kiosk mode and cause user's grief. like being stuck with a PDF open in full screen over top of their IE window and unable to close it.
As mhouston100 wrote: "To add an update, using the policy there are a few caveats: 1. You can't close the browser OR tabs, so users opening multiple tabs will continue to exist regardless 2. It seems to cause issues with browsing to different sites, displaying an error 'restrictions on this computer prevent you...' I'm doing some more testing at the moment as this has again changed what I'm looking at."
I found the same issue when using this GP Restriction - Hyperlinks were being blocked in IE - even poor old Google was being restricted.
Using the above PowerScript works a treat - cheers mhouston100
In the end I no longer used 'Kiosk' mode in IE as the scope changed when it was Demo'ed. However the correct GPO for keeping IE open is located under:
UserConf\Administrator Templates\Windows Components\Internet Explorer\Browser Menus\FileMenu: Disable closing of the browser and Explorer Windows
This coupled with: UserConf\Administrative Templates\System\Custom User Interface
Pointing to "C:\Program Files\Internet Explorer\iexplore.exe"
Along with some other lockdown policies (No taskmanager, disk access, removable devices etc) and you wind up with a pretty robust Kiosk machine.
EDIT:
For any future Google'rs I ended up scrapping the kiosk mode altogether. It caused way to many problems.
In the end I still used IExplorer.exe as the shell but wrote a Powershell login script to simply scan for an IExplorer process and if not found restart it. This allowed the users to still have the flexibility of tabbed browsing etc but if they happened to accidentally close the session it just reopened to the homepage.
The script is below and just set through GPO as a login script:
Start-Job -ScriptBlock {
While (1 -ne 0){
Start-Sleep -Seconds 5
If (-not(Get-Process iexplore -ea silentlycontinue | select *| Where-Object {$_.MainWindowHandle -ne 0})){
Start-Process -FilePath "$($env:ProgramFiles)\Internet Explorer\iexplore.exe"
}
}
} | Wait-Job
The best soltution that I was able to find for securing a public web browser was posted at http://haslenet.co.uk/?p=816 and uses a script and a few registry settings to lock the kiosk down properly. So far I have not been able to find any weaknesses in it.
