AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of operationsIT
operationsIT
 asked on

Secure Windows 7 with 2 logins Kiosk and Administrator

Is it possible to have a automatic login with a Kiosk user or maybe it doesn't have to be Kiosk that limits many areas of interaction with the Operating System?  However when required can switch to administrator who can support the system local/remote via admin credentials?  What is the best setup?
Windows 7Microsoft Legacy OSWindows OS
Avatar of undefined
Last Comment
operationsIT
8/22/2022 - Mon
Sean Plemons Kelly, CISSP
Hello operationsIT!

In my opinion:

Through Group Policy, most things are possible!

Most of the settings for this can be found under User Configuration > Policies > Administrative Templates.

Cheers!
Sean
operationsIT
ASKER
If this is a stand alone machine we can use the local GPO to lock it down (no desktop right click) yet somebody can login and override this with admin rights?
Sean Plemons Kelly, CISSP
operationsIT,

If someone else has admin rights, then yes, they will typicaly be able to change things.

There are two places you can remove the desktop context menu (right click):
One is the registry, at key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, key NoViewContextMenu. Giving this a value of 1 will disable the context menu.

The other is in Group Policy, at User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer > Remove Windows Explorer's Default Context Menu. Changing that to Enabled will disable the context menu.

*Ideally* the machine would be connected to some sort of domain that could apply the policy to different groups (I.E. the GPO that locked the system down would apply only to domain users the regular account, and the domain admins would be exempt from it).

I hope this helps!
Sean
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
operationsIT
ASKER
This is a machine we will put at a customer site to manage equipment so it will not be on their domain and the management team there wants it locked down so we can change to administer it, but their team cannot

•      Remove all icons from desktop
•      Remove or disable taskbar
•      Remove right click on desktop
•      Disable most system keyboard functions

Anything with these that won't work?  What will context menu removal do specifically?
We will still be able to switch to or restart to get admin in?
ASKER CERTIFIED SOLUTION
Sean Plemons Kelly, CISSP
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
operationsIT
ASKER
There should be one locked down and one engineer who has administrative rights

Disabling:
 File system navigation (except through package analytics)
All shortcut and fast keys (IE: <control>+<alt>+<delete>)
Right click menus
Command Window
Start menu (all of the menu, however can leave one option: user login change)

Effectively, the locked down user should only be able to:
Have the option to change users (change to engineering)
View the package analytics user interface (dashboard)
Remote desktop accessibility
Mount/unmount an external drive (USB)
operationsIT
ASKER
Great help thanks!
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent