Do they need access to any web browser other then Internet Explorer? Does it need access to the internet at large or just a very specific website?
I believe they are only using IE. Any website. It's open to public.
You can use an alternate windows shell instead of windows explorer (like internet explorer), apply security policies and other customization to internet explorer[microsoft.com], apply software restriction policies and prevent them from doing most things they shouldn't (including launching windows explorer). If you really want to completely lock it down with minimal effort tools like deep freeze are great, but in many cases adequate results can be obtained freely but require more time and effort.
Basically this: http://www.ehow.com/how_7503804_b...kiosk.html plus various security and app restriction policies (using an account with guest like permissions start with USGCB[nist.gov] and add additional restrictions you want, specifically to IE[microsoft.com] and windows explorer, and app restriction, block access to task manager from ctrl-alt-del). Putting IE into kiosk mode (-k) may actually be too restrictive for your needs. Blocking/locking things that might otherwise only be accessible via keystrokes is important. Privacy of users may be important too (hiding history and purging cookies). You may want to automate an auto log off and force acceptance of an AUP (click ok and it will auto login) using something like this[grimadmin.com] to auto log off.
What is the specific environment the computer will be placed in? Will it be used for anything else (authenticated users / anything secure)?
It's windows 7. I'm not aware of any other secure use.
Even with programs like deep freeze, it's also good idea to make other modifications to security policies etc.
As far as I know they only want to make sure no one can save any data while they are logged in as certian user. If they can get certain fetaure like user won't shut down then that would be bonus.
We already covered this! The closest equivalent to windows steady state is a program called Deep Freeze, it is not free. Even if you use a program like this, you should make some other security modifications which have been touched on here already. The single most useful too to you is probably the Internet Explorer Customization Wizard that I linked to earlier, you can do many many things that are relevant to this type of installation.
Saving things on the desktop should really be the least of your concerns as to things a user of this guest account could do. But it like most of the major concerns is easy relatively to prevent. Blocking browsers from using the file:/// protocol and from launching the task manager are probably two of the more significant.
What kind of business or organization is this for? Who will be using it? What type of sites are they likely to access? Is their security/privacy much of a concern (purging cookies/cache/history)? Do you want to enforce a usage time limit? Will any trusted users (read, needing more rights/permissions) be using this computer (you keep saying subtle things that leave me wondering)?
This information might alter the approach to your problem.
As vivahate suggested, there are some linux distros that have some pretty powerful kiosk type functions built in too. Like: http://webconverger.com/
Even with decent software to run a kiosk, there are many possible exploits. To do it right you need to involve quite a few low level restrictions. For some amusing reading on exploiting a kiosk, see: http://defcon.org/images/defcon-1...-craig.pdf
There are ways to mitigate many of the things covered in this pdf.
The biggest risks would be if they could gain access to important things on your network.
Ultimately a good, secure kiosk requires many layers of security:
-Network security, isolating machine on a network level and restricting access to malicious sites
-Physical security, prevent tampering / physical access / booting from alternate devices / installing devices / possibly going as for as a thin client with no hard drive. Use PS/2 mouse/keyboard if possible. Possibly a custom keyboard or mouse without most modifiers / f-keys.
-BIOS security, locked down with good password, boot options restricted, Unneeded I/O disabled
-Kernel level security with a program like Deep Freeze (makes it much harder for any successful exploits to survive a reboot) / Possibly custom keyboard mouse drivers that restrict input
-File system permissions, restrict the ability to read/write from places they shouldn't
-OS level security restrictions to prevent access to things that could compromise the kiosk, use Applocker to only whitelist a very limited set of processes (Also use an alternate shell and explicitly block explorer.exe, cmd.exe, regedit.exe from launching). Don't install Flash, Java, or Silverlight; Disable Active X in all zones. PDF viewers and plugins are another vulnerability vector.
-Browser / Kiosk software that simplifies tasks the kiosk user is expected to perform and prevents them from doing things they shouldn't. In most cases they things this level would strive to block should be blocked by one of the lower levels.
Another consideration is how the machine gets software and os updates, as many of the things you would do to make it a kiosk make this harder (generally some manual effort is required)
Slickdeals is able to share the best deals because of the contributions of users like you! If you found a great deal,
please share it with others by posting in our forums.
Welcome to Slickdeals!
Save money here by finding the lowest and cheapest price, best deals and bargains, and hot coupons. We're all about
community driven bargain hunting with thousands of free discounts, promo codes, reviews and price comparisons.
Don't worry, we'll help you find your way. If you haven't already, check out this
that explains the features of our site.