Thursday, January 07, 2010

How to Lock Down a Windows 7 Kiosk or shared PC

Browsing my one of my favorite RSS feeds: LifeHacker. I came across something that might be useful to a bunch of Small Business Server VAPs configuring your network.  In many cases, some companies like to provide a courtesy kiosk for visiting folks or perhaps they have a single computer for the break room. 

Over at How-To Geek is where they outline the steps.  Basically it leverages local Group Policy (although there is no reason you can’t do this in global group policy on your Windows Small Business Server 2008 machine) to allow users to only run certain applications.  Thus preventing users from getting into trouble and lowering your total cost of ownership on that client PC (or your whole network).

I’m copying the steps here for convenience.  Thanks How-To Geek!

 

If you have a shared or public computer you might want to allow users to use only specified programs. Today we take a look at a setting in Local Group Policy that allows you to set only specified programs to run.

Note: This process uses Local Group Policy Editor which is not available in Home versions of Windows 7.

First click on Start and enter gpedit.msc into the search box and hit Enter.

Navigate to User Configuration \ Administrative Templates \ System. Then under Setting scroll down and double click on Run only specified Windows applications.

GPedit.msc

Set it to Enabled, then under the Options section click on the Show button next to List of allowed applications.

4spec

A Show Contents dialog comes up where you can type in the apps you want to allow users to run. When finished with the list, click OK then close out of Local Group Policy Editor.

5spc

If a user tries to access an application that is not on the specified list they will receive the following error message.

6spec

This is a nice feature for limiting what programs users can or cannot access on the computer.


13 comments:

Anonymous said...

There are many security/kiosk apps out there that simplify the Group Policy editor. We use one called Secure Lockdown by Inteset. It eliminates the need to futz around with a billion GP settings. It's not for everone though.

pratik said...

Any ideas on how to make windows 7 look like kiosk. All i want is it to run my software and nothing else, not even internet.Whenever u login into kiosk (user account) it starts my software and nothing is visible.The only way to control things is from admin user account.
Thanks
Its my capstone project so it would be a great help.

Sean Daniel said...

Wouldn't you just put it in the start menu, and then maybe just prevent explorer.exe from running? I'm not sure if that can be done.

Anonymous said...

Inteset Secure Lockdown has a "Run as Shell" feature that kills the Desktop and only runs your software.

Nic Fowler said...

User powershell to access gpedit.msc

Anonymous said...

I followed the instructions and it worked, but the problem I"m having now is that I can't turn off restrictions. I even logged in as administrator to try and disable it, but I can't even get into regedit.
What do I need to do?

Anonymous said...

How to restore back ??please help

Anonymous said...

LOL.. now you guys are doomed!

Unknown said...

Fascinating!

Anonymous said...

Boot pressing F8, and go into safemode, disable your msc setting and reboot. If your on a domain with Windows server and you have a gpo, disable de gpo and reboot.

Anonymous said...

OK Ok .. IF you change the "local policy" as stated above.. ALL accounts will be locked out and you cannot change anything EVEN as ADMIN/ADMINISTRATOR

TO REVERT Back to Admin Access YOU MUST use "System Restore" and return your system to an earlier time... before the changes were made.

I advise Against Doing what this post says above.. and look for an alternative solution.

2 thumbs down on this post!

Anonymous said...

Lol, of course it happens if you apply the policy to everyone. That's why you should only apply the policy to a specific group or user.

Just snap-in a new policy object and set everything there.

Anonymous said...

I blindly followed this stupid article as well, but for Windows 10. Safe mode did nothing. There were no previous restore points either. After wasting an hour trying many different things, I found a solution:
Delete all the folders found within %windir%\system32\GroupPolicy\ and restart.