Link to home
Start Free TrialLog in
Avatar of etbu
etbuFlag for United States of America

asked on

Restrict all applications except for IE 7

I need to be able to allow students to log into workstations using their AD domain account. When they log in I do not want any default programs to show up in the start menu. I only want them to be able to go to Internet Explorer v.7 but I do want them to be able to log off when they are finished.

I have read other solutions and they seem to indicate using kiosk mode. I don't believe the users would be able to log off and on if I did that. Am I correct in this?
Avatar of RubenvdLinden
RubenvdLinden

They can logoff if you allow them to press CTRL-ALT-DELETE.
However, you should disable your taskmanager to prevent them from starting new tasks.
If internet explorer in Kiosk mode was configured as the shell, then users would still have access to log off command from the windows security dialog (Ctrl + Alt + Del), all of the other functionality (Change Password, Task Manager, Shutdown, etc..) can be disabled through Group Policy.

To make it slightly simpler you could include a button in your application that closed the current document (through "javascript:window.close();").
Avatar of Kevin Hays
Only a couple of options that really come to mind right now.

1. Terminal server and have IE7 automatically launched when they login.  I believe it will take up full screen and they won't be able to have access to anything else unless there is a shortcut that takes them to the desktop.
2. Kiosk, They should be able to logoff and on, or at least the kiosk that I used to use at my previous job did.

You could try using gpo's to do this, but it may be pretty tedious though.
Avatar of etbu

ASKER

Ok...what about this then.

I have a gpo where users are assigned a windows screen saver that comes on in 30 minutes. The name of the gpo is 'current students'

I have another gpo called 'kiosk gpo'. It contains both user and computer configurations. It is assigned to an OU called Kiosks and all kiosk machines are in the OU.

When a student logs in, the computer configuration of the gpo in the Kiosk OU is applied. Also, the user  configuration in the  'current students' gpo is applied as well.

Is it possible for the user configuration in the kiosk gpo to be applied instead of the user gpo 'current students'.

I want to have a different screensaver on the kiosks than I do in the labs where the students login.
Avatar of etbu

ASKER

In responce to the original question:

Everytime a new user logs into the machine, it creates a startup menu with quite a few applications. I went into the default user profile and deleted all the shortcuts to the apps as well as in the ALL Users profile EXCEPT for Internet Explorer.

Now, when a new user logs in, they still get the following shortcuts:

Outlook Express
Address Book
Windows Media Player
Internet Explorer (no add-in mode)

Does anyone know if it is possible to keep these shortcuts from showing up each time a new user logs into the system for the first time?
Yes, the user configuration can be applied to the kiosk users, however you would want to either move those users inside the OU where the kiosk machines are located for it to take effect.

Did you modify the default user shortcuts as well?
ASKER CERTIFIED SOLUTION
Avatar of RubenvdLinden
RubenvdLinden

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial