Building a kiosk in Windows XP and 2000 is not really as hard as it sounds. This tip will discuss building a kiosk on a stand-alone workstation. This scenario applies differently to a system you would deploy in an AD domain. It's a good idea to do this initially in a non-production system that is backed up, because you will be modifying system permissions as you go. You could wind up denying yourself access to the system, so having a backup would be handy.
First, you will need to create an account that has limited rights in addition to the admin account already in existence. I like to create a kiosk local group and a user called "Kiosk." The user "Kiosk" is a member of only the kiosk group.
Under the Run menu, type "mmc" to create a new Microsoft Management Console. You will need to add the snap-in for Group Policy, and designate it for the local machine. Save the Group Policy in your Administrative Tools.
In this mmc, you can configure the permissions to apps and the overall access to the OS from here. If you are in doubt about what a particular setting does, the Explain tab does a fantastic job. (To get to the Explain tab, right-click on a policy object, such as "Remove users folders from the Start Menu" and select properties from the context menu.)
Here is where many people will mess up. To access the Group Policy mmc, you need to have permissions to access the files the mmc uses to enforce the policies. As you are changing settings, you will find that you are actually locking down the system (the admin account) around yourself. Sometime sooner or later, you will lock yourself out of the system and face a format/reinstall.
Avoid this problem by using the following method:
- Create shortcuts to the group policy mmc and %systemfolder%system32grouppolicy on the admin desktop.
- Allow the Administrator account Read and Write permission and the KIOSK group Read permission on the Security tab for the gpt.ini file located in the grouppolicy folder. (Some like to assign to the folder instead. Either works.)
- IMPORTANT!!! LEAVE THE EXPLORER VIEW OF THE GROUP POLICY FOLDER OPEN!!!
- Open Group Policy, and modify your desired settings.
- Close down Group Policy, and save settings.
- REOPEN Security tab on gpt.ini and set the Admin account to DENY READ Permission.
- Logout and login as kiosk user. The changes you enabled should be apparent. When you log back in as the admin account, you SHOULD NOT see the changes.
My main recommendation is to modify settings slowly until you are comfortable with the process. Start with hiding the Recycle Bin from the desktop. Once you are at the point at which the admin account can login and NOT inherit the policy (you see Recycle Bin) and the kiosk user profile login DOES inherit (you cannot see Recycle Bin), you are using the methodology correctly.
Also, be careful with advanced settings, especially in Windows Explorer, because modifying some of those could lock you out of Explorer submenus and even get you to the point where you cannot access the properties of a file to modify permissions. Best Advice: GO SLOW, and DOCUMENT WHAT YOU DO!
Good luck!Earl Grylls
For More Information
- What do you think about this tip? E-mail us at editor@searchSystemsManagement.com with your feedback.
- The Best Web Links: tips, tutorials and more.
- Have a Security Tip to offer your fellow IS managers? The best tips submitted will receive a cool prize--submit your tip today!
- Ask your technical security questions--or help out your peers by answering them--in our live discussion forums.
- Ask the Experts yourself: Our security gurus are waiting to answer your technical questions.
This was first published in February 2002