Iexplorer.exe as Custom User Interface - Restart if closed?

3

I'm currently configuring a Kiosk machine using "IExplore.exe -K" as a replacement shell, everything is working fine.

Unfortunately you can still kill the IExplore.exe session by hitting Alt-F4. This just leaves a blank, black screen.

Is there any way to ensure IExplore.exe restarts if closed?

I've considered writing a Powershell script to run as a service or scheduled task to just check if it's running and restart it if it's not, any other ideas?

mhouston100

Posted 2015-03-31T05:32:39.030

Reputation: 140

Answers

0

In the end I no longer used 'Kiosk' mode in IE as the scope changed when it was Demo'ed. However the correct GPO for keeping IE open is located under:

UserConf\Administrator Templates\Windows Components\Internet Explorer\Browser Menus\FileMenu: Disable closing of the browser and Explorer Windows

This coupled with: UserConf\Administrative Templates\System\Custom User Interface

Pointing to "C:\Program Files\Internet Explorer\iexplore.exe"

Along with some other lockdown policies (No taskmanager, disk access, removable devices etc) and you wind up with a pretty robust Kiosk machine.

EDIT:

For any future Google'rs I ended up scrapping the kiosk mode altogether. It caused way to many problems.

In the end I still used IExplorer.exe as the shell but wrote a Powershell login script to simply scan for an IExplorer process and if not found restart it. This allowed the users to still have the flexibility of tabbed browsing etc but if they happened to accidentally close the session it just reopened to the homepage.

The script is below and just set through GPO as a login script:

Start-Job -ScriptBlock {
    While (1 -ne 0){
        Start-Sleep -Seconds 5
        If (-not(Get-Process iexplore -ea silentlycontinue | select *| Where-Object {$_.MainWindowHandle -ne 0})){
            Start-Process -FilePath "$($env:ProgramFiles)\Internet Explorer\iexplore.exe"
        }
    }
} | Wait-Job

mhouston100

Posted 2015-03-31T05:32:39.030

Reputation: 140

To add an update, using the policy there are a few caveats:

  1. You can't close the browser OR tabs, so users opening multiple tabs will continue to exist regardless

  2. It seems to cause issues with browsing to different sites, displaying an error 'restrictions on this computer prevent you...'

I'm doing some more testing at the moment as this has again changed what I'm looking at. – mhouston100 – 2015-04-01T00:27:41.290

2

Unfortunately you can still kill the IExplore.exe session by hitting Alt+F4.

Warning:

The instructions below contain steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly.

Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.

For more information see How to back up and restore the registry in Windows.


How do I prevent Alt+F4 killing the session?

Finally, Alt+F4 or Ctrl+W would close the Kiosk-mode window.

You can lock down these subversive key combinations using restrictions in the Registry:

  • Launch RegEdit from the Start menu's Run dialog;
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Internet Explorer\Restrictions
  • Find or create each of the following DWORD values, setting its data to 1 to enable the restriction:

    -NoBrowserClose (disables closing the browser window)

    -NoBrowserContextMenu (disables right-click context menu)

    -NoFileOpen (disables use of Ctrl+O or Ctrl+L to launch an arbitrary URL)

    -NoOpenInNewWnd (disables opening a link in a new window via Ctrl+N or Shift-click)

A user who attempts one of these restricted actions will get a warning stating "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." You may need to restart the computer to make it recognize changes in these values.

Of course users can still enter Ctrl+Alt+Del to bring up Task Manager and end the process.

Source Internet Explorer's Kiosk Mode

Note:

Another source Building a Windows 7 Kiosk in 10 minutes says the key to add is HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions


How can I disable Ctrl+Alt+Del?

DavidPostill

Posted 2015-03-31T05:32:39.030

Reputation: 118 938

Thanks for the info. I don't know if those reg keys are current with IE 11, the entire key doesn't exist. I'll keep it in mind for testing however.

In the end I had to go a different route, scrapping Kiosk mode and using a combination of GPO's to start IE and stop the window from being closed. – mhouston100 – 2015-03-31T21:09:24.910

Another reference cites the key as HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions – DavidPostill – 2015-03-31T21:28:45.873

After playing around with the GPO settings, while they do work they do cause some usability issues. I'll be testing out your registry keys today but I think your answer may be a better solution than using the GPO's. – mhouston100 – 2015-04-07T00:21:23.333

1

I have recently setup Kiosk Mode for local libraries using

UserConf\Administrative Templates\System\Custom User Interface Pointing to "C:\Program Files\Internet Explorer\iexplore.exe"

Along with some other lockdown policies (No taskmanager, disk access, removable devices etc)

I did not use the -k (kiosk switch) as I found opening PDF etc would also run in Full screen Kiosk mode and cause user's grief. like being stuck with a PDF open in full screen over top of their IE window and unable to close it.

As mhouston100 wrote: "To add an update, using the policy there are a few caveats: 1. You can't close the browser OR tabs, so users opening multiple tabs will continue to exist regardless 2. It seems to cause issues with browsing to different sites, displaying an error 'restrictions on this computer prevent you...' I'm doing some more testing at the moment as this has again changed what I'm looking at."

I found the same issue when using this GP Restriction - Hyperlinks were being blocked in IE - even poor old Google was being restricted.

Using the above PowerScript works a treat - cheers mhouston100

BadBBilly

Posted 2015-03-31T05:32:39.030

Reputation: 11

0

The best soltution that I was able to find for securing a public web browser was posted at http://haslenet.co.uk/?p=816 and uses a script and a few registry settings to lock the kiosk down properly. So far I have not been able to find any weaknesses in it.

Bruce Wallace

Posted 2015-03-31T05:32:39.030

Reputation: 1

Please avoid link-only answers; include the instructions here in case that link becomes unavailable. – bertieb – 2015-09-08T09:03:39.537