Creating Public Kiosk Desktops in AD/win2k domain

[StellaIndigo]

Anyone got any information on how I can lock down a windows 2000 desktop that will be servered pages from an IIS server in my domain. The user should only be able to browse our intranet site. No operating system functions except login/logout. The application is to be used in a corp intranet enviroment.

Ta

 

[GiaBetiu]

Stella,

I suppose that you are using a Widows2000 network, and there is an Active Directory.
What you have to do is to play with Group Policies.
There you find all kind of restrictions for machine and for users.
Keep your Kiosks computers inside of an OU. Then add an GPO (Group Policy Object) to that OU. Modify that GPO as you want.
Of course you have to define the policy for users also.

Details what should you do exactly is a long story (And I don't have any w2k machine next to me now).

If you need more help write me and I will hel you with details.

Success! Gia Betiu
m.betiu@chello.nl
Computer Eng. CNE 4, CNE 5

 

[StellaIndigo]

I found a few documents on technet about locking down NT and running ie in kiosk mode, however there doesn't seem to be a single all in one document about creating kiosk desktops, oh, and based on user login not computer. (i have a lot of users who "know windows" so they fiddle with it and stuff it up)

I've got a few lockdown GPO's so I'll mix that with IE in kiosk mode.

Thanks anyway.

 

[GlenJohnson]

(i have a lot of users who "know windows" so they fiddle with it and stuff it up) OUCH! There's nothing worse than those folks. What kind of rites are you giving them? Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"Common sense is an instinct for the truth."
Max Jacobs (1876-1944); French writer.

 

[StellaIndigo]

depends, directors and seniors manager see themselves as above the law and know everthing about everything, they are Domain User with no special lock down. (company politics)

Most others have a "mild" locked down with a GPO. Serious problem users I've locked down so they can't even run up Windows Explorer, change desktop.

I'm creating an intranet so when the user logs in it jumps straight into IE in kiosk mode. All there applications they can run up from IE then they can log out. Reducing administration.

 

[GlenJohnson]

Try losing the default gateway. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"Common sense is an instinct for the truth."
Max Jacobs (1876-1944); French writer.

 

[CitrixEngineer]

You'll need to tighten IE up - the IE Resource Kit is ideal for this.

There are all sorts of security holes, such as the view source feature, the ability to navigate to a server's drive from the address bar, and Help.

Disallowing downloads, right-clicking and explicitly blocking many sites (like hotbar.com [shudder]) is also necessary.

This is a fun project - I did this via MetaFrame years ago, so have forgotten most of what I did - but I'll try to dig out my notes... I remember we setup a non-trusted public domain in a DMZ to avoid any possible contact with the internal LAN. This project was for 6 public libraries - we had kids trying to hack it from day one. Fortunately with MetaFrame, we were able to shadow them and find out what they were up to!

Good Luck! CitrixEngineer@yahoo.co.uk

 

[StellaIndigo]

The users don't have any access to the Internet anyway so I'm not worried about them downloading rogue programs/screen savers etc.

It's more to stop them from dropping back to the desktop. If they can't get access to something via the Intranet then they shouldn't have access to it.

I'll be running IE in full screen mode with no toolbars/menus etc or removing all desktop objects and setting up web content on the active desktop.

I've found KB Q198771 which tells me how to lockdown a desktop, another KB about running IE in kiosk mode, it's more putting it all together...

 

[GiaBetiu]

I followed the discission from above, but I cannot see where is the difficulty.
Using Group POlicy you have all necessary tools to lock down that desktop.
I just did a huge list with possible options that you can use.
If you want I can give write you all those settings.
(but there are a lot, and they are flexible).

One trick is to use "User group policy loopback" with processing mode to "replace". In this way, the GPO specified for the OU where is the computer will be applied with both sections (computer and user) ignoring the actual user location (and his asssociated GPOs).

You can restrict how the "Start" menu will look, you can restrict any icon on your desktop, and if you want to start automatically in IE then you can set a "Custom User Interface" that will be set to IE. And having explorere.exe as forbidden (I cannot test this now, but defining a custom user interface it's a nice idea. I remember that having NetWare you could set as SHELL a different application than explorer).
Then you can have a list with forbidden applications or allowed ones,... etc. There are many Administrative Templates there that can be use for restricting access.

So,... please tell me if you are trying to do such a things. Gia Betiu
m.betiu@chello.nl
Computer Eng. CNE 4, CNE 5

 

[rrsub]

You could setup a Linux box and avoid the Windows hassles and licensing. Pretty easy to lock up.

 

[id10t]

My company does a ton of Kiosks and the best way that I have found is to use a program called SiteKiosk. It is fun to play around with locking down Win2k but when you want it done right use this program, and its around 100 dollars I think. Plus it gives you some cool options, like a internet screen saver it goes to the sites or files you tell it to go to. And I have not been able to hack it or seen it hacked yet.

Just my 2 cents.

 

[StellaIndigo]

Many thanks, I'll get a copy of SiteKiosk. Sounds like what I am looking for.

Cheers

 

[davetherave100]

Have you tried downloading the microsoft scenario GPO's...that hads a kiosk computer and user GPO that ties things down prety well, only IE opens and cannot even be closed down, users have to log off
Dont know if thats of any use?