Tip

Create kiosks for XP and 2000

Building a kiosk in Windows XP and 2000 is not really as hard as it sounds. This tip will discuss building a kiosk on a stand-alone workstation. This scenario applies differently to a system you would deploy in an AD domain. It's a good idea to do this initially in a non-production system that is backed up, because you will be modifying system permissions as you go. You could wind up denying yourself access to the system, so having a backup would be handy.

First, you will need to create an account that has limited rights in addition to the admin account already in existence. I like to create a kiosk local group and a user called "Kiosk." The user "Kiosk" is a member of only the kiosk group.

Under the Run menu, type "mmc" to create a new Microsoft Management Console. You will need to add the snap-in for Group Policy, and designate it for the local machine. Save the Group Policy in your Administrative Tools.

In this mmc, you can configure the permissions to apps and the overall access to the OS from here. If you are in doubt about what a particular setting does, the Explain tab does a fantastic job. (To get to the Explain tab, right-click on a policy object, such as "Remove users folders from the Start Menu" and select properties from the context menu.)

Here is where many people will mess up. To access the Group Policy mmc, you need to have permissions to access the files the mmc uses to enforce the policies. As you are changing settings, you will

Requires Free Membership to View

find that you are actually locking down the system (the admin account) around yourself. Sometime sooner or later, you will lock yourself out of the system and face a format/reinstall.

Avoid this problem by using the following method:

  1. Create shortcuts to the group policy mmc and %systemfolder%system32grouppolicy on the admin desktop.
  2. Allow the Administrator account Read and Write permission and the KIOSK group Read permission on the Security tab for the gpt.ini file located in the grouppolicy folder. (Some like to assign to the folder instead. Either works.)
  3. IMPORTANT!!! LEAVE THE EXPLORER VIEW OF THE GROUP POLICY FOLDER OPEN!!!
  4. Open Group Policy, and modify your desired settings.
  5. Close down Group Policy, and save settings.
  6. REOPEN Security tab on gpt.ini and set the Admin account to DENY READ Permission.
  7. Logout and login as kiosk user. The changes you enabled should be apparent. When you log back in as the admin account, you SHOULD NOT see the changes.

My main recommendation is to modify settings slowly until you are comfortable with the process. Start with hiding the Recycle Bin from the desktop. Once you are at the point at which the admin account can login and NOT inherit the policy (you see Recycle Bin) and the kiosk user profile login DOES inherit (you cannot see Recycle Bin), you are using the methodology correctly.

Also, be careful with advanced settings, especially in Windows Explorer, because modifying some of those could lock you out of Explorer submenus and even get you to the point where you cannot access the properties of a file to modify permissions. Best Advice: GO SLOW, and DOCUMENT WHAT YOU DO!

Good luck!

Earl Grylls
NT/2K MCSE

For More Information


This was first published in February 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.