Creating a Win 7 kiosk pc

Dracula28

One of my clients want me to create 5 stand-alone kiosk pcs. They will be connected to the internet and each other in a workgroup configuration, but will pretty much just be stand-alone kiosk pcs, that will run IE and 4-5 other applications.

Since I am obviously going to use GPO to do much of the lock down. Are there any guides on this out there? I've tried to search on google, without finding anything. Sure, I could get my hands dirty in GPO, but I want to see tips and tricks, on what I can lock down to make the kiosk as inaccessible as possible.

This is what I want to do:

- disable Control Panel
- disable the right click context menu
- lockdown the start menu, with it only showing documents (for the user, not the libraries) and I want there only to be a shutdown button there
- disable the search function when viewing folders, I also want to disable the menu to the left
- I don't want the users to be able to browse the c: volume, but I do want them to save files on the kiosk user's documents folder only
- I want to disable ctrl+alt+del

And I need a pron filter. I've tried that Windows live family thing, but I don't know if I am going to go for that, as it clearly states that it is for families. And it might seem silly if they are denied access to ceratin sites, and then are given links to child safe sites.

Any input on this would be appreciated.

Asif Dasl

I don't know the exact group policies you'll need to turn on but you might want to look in to Deep Freeze. It deletes all changes to the computer when it is rebooted, it might help in locking down the computer as well. You used to be able to use Steadystate from Microsoft but that's gone away with Windows 7.

You might want to use OpenDNS for filtering websites also.

azjag

Asif Dasl wrote: »

I don't know the exact group policies you'll need to turn on but you might want to look in to Deep Freeze. It deletes all changes to the computer when it is rebooted, it might help in locking down the computer as well. You used to be able to use Steadystate from Microsoft but that's gone away with Windows 7.

You might want to use OpenDNS for filtering websites also.

I second this. My previous employer used DeepFreeze on all the kiosk/public PC's and it was a blessing. Beauty of it was you didn't need to lock everything down with a GPO. They could change anything they wanted and upon reboot all the changes were gone. Even with admin rights, although we didn't give them those either.

A google search came up with this.
http://jaredheinrichs.com/how-to-turn-a-windows-7-pc-into-a-kiosk.html

http://teamtutorials.com/windows-tutorials/configuring-your-own-kiosk-machine

http://www.windows7download.com/win7-public-pc-desktop/jczqkxzj.html

Dracula28

Thanks for the input guys. I've pretty much gotten everything locked down, by using GPO and certain windows 7 settings. But the customer wants all open windows to be closed if the pc stays idle for 5 minutes, and then run a task (to start internet explorer), and I am kind of struggling with this.

I can use task scheduler to log off and log on the user after five minutes of idle state, and then run Iexplorer at startup, but when logging off, Windows 7 does not automatically log back on, but rather brings up the log on screen, where I can choose which user to log on.

This would also kill the purpose of having a screen saver, which the customer also wants, and this would also ensure that the computer would never go into sleep mode/turn off disks and screen to save power consumption, as the log off/log on would bring it out of idle state.

So i really just want to close all open windows after five minutes of inactivity and then run IE. Any suggestions on how to do so?

But then again, if I was running any kind of task, it would bring the computer out of idle state. So perhaps it is not possible to acheive what the customer wants.

Asif Dasl

You might need some dedicated kiosk software like SiteKiosk. Don't know what the costs are like but it seems to cover all the bases needed for a kiosk machine.

Otherwise it'll be difficult to achieve exactly what the client wants.

Dracula28

Btw, I don't quite remember exporting local gpos for specific users in a non domain environment.

I think I have to browse to C:\Windows\System32\GroupPolicyUsers, then open the folder for that spesific user (I've used the same user name on all five computers), next open the user folder, and locate the registry.pol file. And this is the file, I can copy to the exact same location on the different computers, right?

SteveLord

Asif Dasl wrote: »

I don't know the exact group policies you'll need to turn on but you might want to look in to Deep Freeze. It deletes all changes to the computer when it is rebooted, it might help in locking down the computer as well. You used to be able to use Steadystate from Microsoft but that's gone away with Windows 7.

You might want to use OpenDNS for filtering websites also.

Ah nice. The hotel I was at last week had something like this setup on their lobby computers, to include a timer.

Asif Dasl

Dracula28 wrote: »

Btw, I don't quite remember exporting local gpos for specific users in a non domain environment.

I think I have to browse to C:\Windows\System32\GroupPolicyUsers, then open the folder for that spesific user (I've used the same user name on all five computers), next open the user folder, and locate the registry.pol file. And this is the file, I can copy to the exact same location on the different computers, right?

Never tried to be honest, but this blog post seems to detail the process.

Dracula28

I think that was for XP, which did not have user spesific local GPOs. But I've found out how to do it in Win7. First of all, you can not create user spesific GPOs, as all user's on different machines will have the same SIDs. What you need to do is to choose "All non-administrators" when creating the mmc snap-in. As all non-administrators have the same SID in Win7 (S-1-5-32-545). So when you have created and configured this gpo, you can export that folder (S-1-5-32-545) to any Win7 machine.

It must be put in the c:\windows\system32\GroupPolicyUsers folder. From then on, all users that do not belong to the admin group, will apply those policies.

I'm pretty much done making the kiosk, I think I might just make a tutorial for others, as it might be useful for people who might find themselves in the same situation as I (abruptly thrown into making a kiosk, and constantly fighting the clock to get it done on time). I was suspposed to take the 640 exam on Wednesday, but could not prepare for it, and had to postpone it. Someone also broke into my house this week, so that was another reason why I can not tak 640 on Wednesday.