There are a few approaches to this however here are the issues i found with them:
- From Windows 8.1 you can use Assigned Access . This may have worked well in Windows 8.1 however from my testing i could not get Edge as assigned access only works for "Apps". In windows 8.1 IE could run in "Metro app" style therefore may have worked.
- AppLocker could be used to lock down a machine and restrict access to only specific programs, however setup for this is tedious and there are simply too many variables to lock down.
- Internet Explorer can be run in "Kiosk Mode" (iexplore -k). This is fine if you were using the Kiosk for a single website however does not allow users to easily navigate to other sites. This approach would work fine for a Library catalogue machine or similar.
The approach i ended up taking was to take advantage of an old group policy called "Custom User Interface". This is located in User>Admin Templates>System.
This policy takes advantage of :
This policy takes advantage of :
| Key path: | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
| Value name: | Shell |
| Value type: | REG_SZ |
With this approach you can replace explorer.exe with iexplore.exe and you are away, of course you would need to lock the machine down with settings like "Remove Task Manager" etc but this approach works well..
However.
Of course within a Kiosk environment i would like to prevent the users from being able to close Internet Explorer, because if they would there would be no way to restart it besides rebooting the machine.
The following Group Policy exists which is designed to prevent this:
File Menu: Disable closing the browser and Explorer Windows.
There is one major issue i encountered with this Policy, when users opened new tabs for webpages, it sometimes prevented the users from being able to close those tabs (users would receive a restriction error), therefore this setting would not work in a shared lab login environment. My thought was that this policy was initially designed before tabbed browsing became a thing and has not been updated to be able to handle tabs, "Supported on: At Least IE5 led me to that thought"
The issue i now faced was, I cant prevent IE from causing issues when using tabs, and i cant allow IE to stay closed as users would be left with nothing...
The solution was simple, build what under other circumstances would be the most annoying program ever.
"Loop IE" is simple, it will run as a hidden process and force open iexplore.exe every time its closed after a delay of 5 seconds.
Edit: Updated below version to v2.
You can download HERE
Download and then place the file on the machines local disk (eg c:\Program Files\LoopIE\LoopIE.exe). The settings file controls two options.
1. The URL to lauch
2. Kiosk mode, on or off.
Configure the below registry key (Or Custom User Interface GPO)
| Key path: | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
| Value name: | Shell |
| Value type: | REG_SZ |
| Value: c:\Program Files\LoopIE\LoopIE.exe |
There you have it, users can close IE however it will come back, forever!
Here is a report of the group polices i have applied to my Kiosk OU.
Cheers,
Dan
Very nice! Any chance of being able to customize LoopIE.exe though? For instance the ability to use -k and/or specify a URL to use?
ReplyDeleteHi, yes the source for the EXE is in the onedrive download, simply edit with "-k" and recompile.
DeleteI did not see any sourcecode on the OneDrive :/ Can you please make a -k -url Version? :)
DeleteSure, here it is. https://onedrive.live.com/redir?resid=2BD8BA5E21A068F3!6683&authkey=!AEjUzXkUS3-CCeU&ithint=folder%2cexe
DeleteHello,
ReplyDeleteCan I enable Kiosk mode on Windows 10 Pro Tablets using Intune Standalone?
Thank you
I believe you can yes, but this is only good for "assigned access" which needs a new "metro" app to work correctly, see point 1 in my post
DeleteAs a Windows noobie, if you make the GPO changes, is there a way to undo those changes?
ReplyDelete"As a Windows noobie, if you make the GPO changes, is there a way to undo those changes?"
ReplyDeleteOnce applied, you would have to create another whole GPO to undo the changes.
Or is it possible to set "adminautologon" = 0, and set no password to the IE user?
DeleteSo if rebooted, users has to login the "kiosk" user. and if adjustments and other stuff is needed to do with the computer. You could login with admin account...?
Odd. I assure u it's safe.
ReplyDeleteI am seeing the same behavior as well: Windows Defender flags it as the Trojan noted above. Probably incorrectly, since I've been using your program for a few months now. I'm guessing the behavior of scanning for another piece of software and then relaunching it if the task ends mirrors the behavior of this other Trojan.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHi,
ReplyDeleteIs there any way to make the shell LoopIE hack only to be applied to certain users?
I want to be able to configure other windows settings when login in as an admin which doesnt bring up the IE kiosk.
Key path: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name: Shell
Value type: REG_SZ
Thanks
/Henrik
Sure, a local group policy for each user
ReplyDeleteI have downloaded the loopiev2 and made the changes i wanted for my settings.xml. What is the next step? How do i recompile the .exe again?
ReplyDeleteLoopIE will not run asks for me to work with the creator to find a version that will work with my PC, its the same as my desktop and it runs fine there
ReplyDeleteneed a 32-bit version to run on a windows tablet
ReplyDelete