Locking down Win10 Pro to IE alone, no OS access

I have a client that will be using a web-based program with Win10 PCs as custom terminals running Internet Explorer 11.  For various reasons, some of these machines will be on a domain and others will just be offsite or in a small workgroup.

Seems that AD GP should allow for this on domain PCs but would like to know if anyone has already has an example.

As for the machines off the domain, what would be the best method?

We essentially want the user "jailed" in a fully functional IE without the ability to close the browser, access the start menu, hit ctrl + alt + delete, or do anything else to access the actual underlying system. The PC needs be full IE, but just IE and not ability to get to any other aspects of Windows 10.
Let me know if that makes more sense.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
zicemanAuthor Commented:
Yes, considered that, but client probably cannot have Internet Explorer itself that locked down. It is a restaurant application that is web-based and fairly comprehensive, and my guess is that the kiosk mode is too limited.
Cliff GaliherCommented:
A but confused. How is that too limited, but would still meet all of the conditions you just described? Sounds contradictory. If you can explain a bit more,  experts can provide more specific suggestions.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

zicemanAuthor Commented:
As indicated above. The web-based restaurant / hospitality application is quite sophisticated and feature-rich. It likely includes extensive usage of HTML5, Javascript, Java additional advanced technologies to fulfill the functionality. I suspect some custom, non-standard windows are spawned, etc.. These may be hidden or disabled with the forced full screen mode.

Anyway - based on my understanding of Kiosk mode - it really does not "jail" the user. They can hit Alt+Tab to switch to other apps and Alt+F4 to close IE.
zicemanAuthor Commented:
To further clarify - what they really need is scenario in which IE is the only "whitelisted" application, per se. If a user closes IE, all that is left to do is launch it again. Nothing else is possible other than hitting the power button.
Cliff GaliherCommented:
Kiosk mode does monitor the process and restarts it if closed. And without the other shell, no other apps would be running for at tab to work unless IE launched them (or, if it's an HTML5 app, I'd recommend Edge)

Either way, you seem to have just said kiosk mode is too restrictive AND not restrictive enough. Again, a bit of a contradiction.

There are also good 3rd party kiosk applications, but all operate similarly offering different features for configuration. Given your seemingly conflicting needs, I don't think any of them will give you what you want.
Cliff GaliherCommented:
What you described about closing IE and having nothing left is what kiosk mode does. For added security to prevent IE from launching other apps through undocumented loopholes, you could pair it with applocker which explicitly has a whitelist for what apps can and can't run.  Wouldn't normative be necessary, but would be an added block for the particularly subversive user.
zicemanAuthor Commented:
I guess it may seem contradictory, but it really is not.

The web application itself will likely not function in a forced full-screen mode. It requires multiple floating and overlapping windows (some perhaps non-standard IE). From my perspective, this would rule out the standard behavior of IE Kiosk mode. So... that is probably that.

Now, moving on. We need to only allow the user to be able to run the IE application and do nothing else with the machine. To me, this seems like a application whitelisting scenario or high restrictive group policy configuration. But I am open to other ideas. That is why I am here.

The application vendor has specified that the browser *must* be IE 11. Edge is not supported.
zicemanAuthor Commented:
Actually - I just realized that we are talking about two different things:

a) Launching the Internet Explorer in IE Kiosk Mode
b) Configuring Windows 10 to run in Kiosk Mode - with only IE as the specified app

I assumed your link above was taking to me to "a" (which a colleague had already send / suggested).

My apologies for the error and snarky attitude. I need a beer.

Will look over "b" and come back shortly.
Kiosk mode is not secure and was not intended to be secured against outbreaks. What Microsoft offers that is, is assigned access.
Assigned access is however limited to modern apps and cannot be used with internet explorer, but it can be used with the edge browser.

From assigned access, you cannot break out. However, you want "full functionality" and assigned access does not allow to print web pages - is that a problem for you?

If you decide to go with assigned access, you will need win10 v1709. The powershell command to enable assigned access for a certain restricted user (let's call him "weakuser") is
Set-AssignedAccess -UserName weakuser -AUMID Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge

Open in new window

Let me add that Cliff's link is about assigned access in large parts and microsoft even mixes the terminology so that it is hard to follow and distinguish between shell launcher (insecure) and assigned access (secure).
So I should not have written "kiosk mode is not secure" but rather "you need to choose the right method for kiosking as there are several and only win10 v1709 offers to use a browser in a secure kiosk that you cannot break out from at all"
zicemanAuthor Commented:
Thanks, McKnife.

So what about something imperfect but reasonably secure that most non-technical users could not break?

The vendor has indicated that IE is absolute requirement, and Edge cannot be used.

If Assigned Access is not an option, what can be accomplish with Group Policy and / or registry modifications that might at least the majority of casual users from mucking around in the OS?
As mentioned by Cliff, you can use Applocker (on enterprise versions) or similar software restriction policies (on non-enterprise windows versions) to restrict any and all software apart from what you whitelist. Please look into these built-in options.
zicemanAuthor Commented:
In looking at Applocker, it was not clear if the solution would work for machines not on a domain. We need lockdown both domain members and some workgroup PCs.
Applocker does not need a domain, no. Just two things to take note of:
-Applocker is only available in the enterprise edition of windows
-Applocker needs a certain service activated that will de-activate after each major windows update (this is even by design!). So you will need to turn it on again after each major update. The service is called "application identity".
zicemanAuthor Commented:
OK, well all these machines are all running Win10 Pro - so not an option?
No, not an option. However, as mentioned, you can use software restriction policies which are the predecessor of applocker.
zicemanAuthor Commented:
OK, but for the machines off the domain - it seems that SRP applied through a local GPO will apply to the whole machine (no ability to specify users). If this is the case, how could an Administrator subsequently manage the machines?
You can differentiate between administrative users and restricted users, so effectively turn it off for administrators, if you follow this http://www.frickelsoft.net/blog/?p=76 - you could even apply it to single users.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zicemanAuthor Commented:
OK. I have come back around on this and thinking of perhaps a more basic solution. 

Right now we have the machine setup to auto-launch Internet Explorer in is own Kiosk mode. While this not very secure, the user account privileges themselves are pretty restrictive. The machines are not on the domain and do not have access to the network (other to the app server on HTTPS).  

The problem is that the custom  web application has a "close session" button that will drop the user back to the desktop.Is there a way that I can force a log-off if / when Internet Explorer is closed?
Cliff GaliherCommented:
If you could figured windows 10 kiosk mode with the app as the default shell, it'll just relaunch. Set the app as the homepage. Would that suffice?

Note that again I am talking about windows 10 kiosk mode  NOT IE kiosk mode.
zicemanAuthor Commented:
Yes , but as mentioned above:

1 - Win10 Kiosk mode only supports Edge as a browser, and IE 11 is required for the custom application'
2 - Win10 Kiosk option is not included in Window 10 Pro (just Enterprise)
Cliff GaliherCommented:
For the forts, refer to the link I first posted at the beginning. Windows 10 kiosk mode can absolutely support classic apps via shell launcher snf is documented in that link.

For the second, if this is really that important as it sounds then adding SA to your install (which you can do even for OEM instances within a window after purchase) will get you enterprise. Otherwise you can always buy enterprise through an open value VL purchase to get this.
zicemanAuthor Commented:
OK. For anyone that is still monitoring this, I did find a solution.

It was accomplished with a combination of technologies.

Since we were forced to rule out global Kiosk mode (Assigned Access) for various I ended up using IE Kiosk mode, local group policy and a login script trick.

1 - Create a fully-realized command to launch IE with the -k switch the associated custom URL

2 - Use the method referenced above to create user-specific local group policy that locks down the the PC completely for the given account. This includes clearing off the Start Menu, disabling access to CPanel and Settings, and removing Task Mgr and Chg Password from the Ctrl Alt Delete functionality.

3 - In the Administrative Templates > System > Logon > Run these Scripts at Login, I pointed at the following batch file:

@echo off
:: Start Internet Explorer and wait for it to close
start /w "" "C:\Program Files\Internet Explorer\iexplore.exe" -k
:: Force logoff on computer immediately.
shutdown /l

Now when or if the user closes the custom IE application, they are automatically logged off.

In the event they do somehow get to the desktop, there is nothing that can be done.
Ok, maybe someone should sit down and evaluate your solution in terms of security and compare with all kiosk techniques that Microsoft offers. Maybe I'll find the time, soon. I am not really satisfied with how this question went, since first, one should define what the restricted user mustn't be able to do under any circumstances. I guess, your solution is quickly circumvented by bringing up task manager (CTRL-Shift-Del) and launching any task he likes from there.
Your script allows using CTRL+o inside IE to browse the computer and break out by starting whatever from that dialogue.
Shell launcher, in its current form on 1709 with Microsoft's script, does not work as expected here in terms that the custom shell is not applied but instead the default shell is applied - maybe their script (which I customized as advised) needs revision. However, without using software restriction policies/applocker or at least NTFS permissions accordingly, anyone can break out at once.

Only assigned access is secure and can be used for browsing. Just one line of code, as easy as it gets. in Win10 v1803, we can even print from that browser. If you need IE badly, you will need to use shell launcher and pair it with software restriction policies.
zicemanAuthor Commented:
I am pretty sure that all the other key combinations, including CTRL-Shift-Del and CNTRL+ o, were attempted - but will confirm. Also, the user is a limited account with no ability to change settings or install apps, even if they got that far.

As I indicated earlier, these machines are not on the domain and do not have network access other than internal HTTPS / 443.  We have made fairly difficult for users to break out and do anything, and it seems that one of the waiter / waitresses would need to be quite industrious to create problems.  These PCs are in plain view the entire time the facility is open.

This being said, I want to do what is best for the client. So I will await further insight.
We need to be precise.

Breakout for me: being able to run anything but IE
Breakout for you: being able to "change settings or install apps"

That is different. If your need is just to give them IE and not show them the rest of the UI, then you have succeeded, if you don't mind that users may circumvent that.
zicemanAuthor Commented:
Will confirm CTRL-Shift-Del and CNTRL+ o possibilities to circumvent. Let you know ASAP.
You can as well use the open dialogue in IE via mouse clicking:  File - Open (needs the menu bar to be displayed first using the Alt key, eventually)
zicemanAuthor Commented:
IE is launched in full screen KIOSK mode (-k). I believe both menus and key combos are disabled.
Key combos disabled? Not in normal IE kiosk mode. We can use GPOs to disable winkey shortcuts like winkey+e for explorer, but CTRL o does work in kiosk IE.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.