We operate kiosk machines in our library, allowing students to use the machine - which is always on - to search the Library Catalogue (a web-based application) and find a book they're looking for. The idea is that they can walk up to the machine, search and walk away with the location of the book, only having used the machine for a few minutes.
After many years of using a ThinStation image to do this, we've opted to build a Windows 7 image to do the same thing. We found it's not at all difficult, and you can lock the machine down sufficiently to prevent tampering. Our machine has almost nothing installed on it apart from Windows and drivers, so it boots lightning fast (practically as fast as the network booting thinstation images we were using), and it was quick and easy to build. Being Windows, it's also easy for our library staff to understand, and for anybody to maintain.
The three main components of the kiosk machine are:
Configuring Windows and IEWindows itself only requires basic configuration and some group policy changes. We haven't joined these machines to our domain, so group policy changes were done locally. We made all the obvious changes, like disabling screensavers, power saving, and disabling CTRL+ALT-DEL options like task manager, fast-user-switching etc.
We use two Windows options to launch our browser in place of the normal explorer shell. We use Internet Explorer's kiosk mode switch:
We also launch Internet Explorer using the custom user interface group policy option in Windows. This allows internet explorer to be run instead of the normal explorer interface (the taskbar, start menu and desktop).
Locking it DownWith the aforementioned changes made, Windows will boot into IE and display the start page (the library catalogue in our case) displaying no buttons, no address bar or menus. If you were to quit IE you would be presented with a blank background and no option to launch any other programs.
That all seems good, except there are innumerable ways to get into the system and start messing around. Pressing ALT+F4 will kill IE, CTRL+O will allow you to browse to any other address, and of course the good old right-click context menu opens up all sorts of options we don't want users to see. This is where AutoHotKey comes in.
AutoHotKey allows you to do a lot of crazy things with input devices, from launching programs with a key combination, to remapping mouse and keyboard keys or key combinations. The program is free and its scripting language is very easy to learn using its comprehensive help file littered with examples.
By writing an AutoHotKey script, and replacing the explorer shell with AutoHotKey (which in turn runs IE in kiosk mode), I can remove access to right and middle mouse-buttons, CTRL+anything and any other way to circumvent my IE kiosk setup. I can also slip in some secret key combinations that launch various tools to help troubleshoot the system, or to get back to the explorer desktop. After all, our support techs need to be able to work with it too.
Process ExplorerOne of the side-effects of locking the machine down is that if you want to remove everything from the CTRL+ALT+DEL menu, you need to disable Task Manager. In their infinite wisdom, Microsoft have provided the ability to remove Task Manager from the CTRL+ALT+DEL options. However what this really does is disable the feature completely, even typing taskmgr in a command prompt won't work.
However, in troubleshooting the machine one of the first things you want to do is kill AutoHotKey to get back your shortcut keys, and right mouse button. Also, task manager has a handy run menu that you can use to launch explorer and get your start menu back. So, given that we can't use Task manager, we've installed Process Explorer, which is better anyway, allowing us to do everything we could with taskmgr.exe and then some. We just assign it to the most bizarre and hard to guess key combination imaginable in our script, and we're done, aside from maybe also assigning keys to cmd.exe and anything else we might need access to.
UPDATE:I didn't get around to fully documenting the Group Policies used here, so I've added a link below showing the output from the command gpresult /v which identifies the local policies enabled in the configuration.
- Our AutoHotKey script (with key combinations for process explorer etc. censored).
- Disable_sleep.reg (registry hack to remove the sleep option from the shutdown menu).
- Gpresult.txt (the output of gpresult, showing the group policies used in this setup).