Kiosk Mode in Windows, Overcoming the Issues.

I was recently tasked with setting up a line of "Kiosk" machines (running Windows 10) to serve just internet explorer to users, with no access to other applications.

There are a few approaches to this however here are the issues i found with them:


  1.  From Windows 8.1 you can use Assigned Access  . This may have worked well in Windows 8.1 however from my testing i could not get Edge as assigned access only works for "Apps". In windows 8.1 IE could run in "Metro app" style therefore may have worked.
  2. AppLocker could be used to lock down a machine and restrict access to only specific programs, however setup for this is tedious and there are simply too many variables to lock down.
  3. Internet Explorer can be run in "Kiosk Mode" (iexplore -k). This is fine if you were using the Kiosk for a single website however does not allow users to easily navigate to other sites. This approach would work fine for a Library catalogue machine or similar. 

The approach i ended up taking was to take advantage of an old group policy called "Custom User Interface". This is located in User>Admin Templates>System.

This policy takes advantage of :


Key path: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name: Shell
Value type: REG_SZ





With this approach you can replace explorer.exe with iexplore.exe and you are away, of course you would need to lock the machine down with settings like "Remove Task Manager" etc but this approach works well..

However. 

Of course within a Kiosk environment i would like to prevent the users from being able to close Internet Explorer, because if they would there would be no way to restart it besides rebooting the machine.

The following Group Policy exists which is designed to prevent this:

File Menu: Disable closing the browser and Explorer Windows.  


There is one major issue i encountered with this Policy, when users opened new tabs for webpages, it sometimes prevented the users from being able to close those tabs (users would receive a restriction error), therefore this setting would not work in a shared lab login environment. My thought was that this policy was initially designed before tabbed browsing became a thing and has not been updated to be able to handle tabs, "Supported on: At Least IE5 led me to that thought"

The issue i now faced was, I cant prevent IE from causing issues when using tabs, and i cant allow IE to stay closed as users would be left with nothing...

The solution was simple, build what under other circumstances would be the most annoying program ever. 

"Loop IE" is simple, it will run as a hidden process and force open iexplore.exe every time its closed after a delay of 5 seconds. 

Edit: Updated below version to v2. 

You can download HERE
Download and then place the file on the machines local disk (eg c:\Program Files\LoopIE\LoopIE.exe). The settings file controls two options.

1. The URL to lauch
2. Kiosk mode, on or off. 

Configure the below registry key (Or Custom User Interface GPO)


Key path:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name:Shell
Value type:REG_SZ
Value: c:\Program Files\LoopIE\LoopIE.exe


There you have it, users can close IE however it will come back, forever! 


Here is a report of the group polices i have applied to my Kiosk OU. 



Cheers, 

Dan