Winnipeg Photographer

How to turn a Windows 7 PC into a Kiosk


Windows 7 Professional or higher. You can not do this with the home versions.

Steps to lock down the Kiosk Computer

How to lock down the computer basically leverages local Group Policy (although there is no reason you can’t do this in global group policy on your Windows Small Business Server 2008 machine) to allow users to only run certain applications.  Thus preventing users from getting into trouble and lowering your total cost of ownership on that client PC (or your whole network).

If you have a shared or public computer you might want to allow users to use only specified programs. Today we take a look at a setting in Local Group Policy that allows you to set only specified programs to run.

First click on Start and enter gpedit.msc into the search box and hit Enter.

Navigate to User Configuration \ Administrative Templates \ System. Then under Setting scroll down and double click on Run only specified Windows applications.


Set it to Enabled, then under the Options section click on the Show button next to List of allowed applications.


A Show Contents dialog comes up where you can type in the apps you want to allow users to run. When finished with the list, click OK then close out of Local Group Policy Editor.


If a user tries to access an application that is not on the specified list they will receive the following error message.


This is a nice feature for limiting what programs users can or cannot access on the computer.

12 Responses

  1. But afterwards you can’t get back into the Group Policy Editor?

  2. Thomas on February 18th, 2010 at 6:07 am
  3. No. You should be able to get back into the group policy editor as long as you are an administrator of the computer.

  4. Jared Heinrichs on February 18th, 2010 at 9:38 pm
  5. I just tried to get back into the editor and it won’t let me.
    I am a Domain admin

  6. Chris Eytcheson on April 9th, 2010 at 3:05 pm
  7. Have you tried logging on as a local admin? Sounds like you made the Group Policy settings too restrictive. If you still can’t get back on unplug the computer from the network. Go into safemode. There are tools you can download that will remove Group Policy restrictions (I like the “Geek Squad” CD for that) and then apply the settings you wish to have. Sorry for the late response. Just had a baby and we’re in the process of moving.

  8. Jared Heinrichs on April 13th, 2010 at 5:31 am
  9. Same thing happenned to me too. I was in local administrators group but nevertheless I was restricted from running anything else but word in my case.

    It was easily fixed by launching mmc from remote computer in same network. Then I added snap-in “Group Policy Object Editor” which asked if I would like to edit local or remote computer. I specified restricted remote computers name and then I was able to modify restrictions.

    Both computers were Windows 7 but I would believe that it goes same way with previous Windows releases.

    Hope that this helps somebody :)

  10. Timo Waltari on June 2nd, 2010 at 12:23 am
  11. There are many security/kiosk apps out there that simplify the Group Policy editor. We use one called Secure Lockdown by Inteset. It eliminates the need to futz around with a billion settings. It’s perfect for Windows 7 kiosks (we use it with Windows 7 Premium).

  12. jeffl012 on November 30th, 2010 at 2:59 pm
  13. Just change the NTFS file permissions on the file MMC.EXE to only allow LocalAdministrators or DomainAdministrators to execute the file and just add MMC.EXE to the list of allowed programs in the GPO.

  14. Pronost on January 25th, 2011 at 7:37 am
  15. Guys! Simply open MMC.EXE Add Group Policy Editor. Hit next. Then ADD it AGAIN only this time you will notice a tab at the top! Select Non-Administrators and THEN you can set your policies.

    Using GPEDIT is GLOBAL. But not if you use it in the context I just mentioned

    Good Luck!


  16. Ron Decker on May 31st, 2011 at 11:57 am
  17. Why not simply add a hot key combo to a shortcut to get back into mmc.exe

  18. Jay on August 18th, 2011 at 2:03 pm
  19. You also need to add mmc.exe into the list of allowable applications if you want to get back into it. Otherwise you will need to locate the policy in the Windows Registry – if you have disabled the Registry Editor then you will have to use a 3rd party registry editor that relies on API calls to access the registry.

  20. Gerallt on January 24th, 2012 at 7:13 pm
  21. I use the parental protection for that. For each user you can setup the parental permission to run certain programs. A limited account should do the job.

    Hope that helps.

  22. Ralf on March 7th, 2012 at 4:26 am
  23. I am stuck with this. I added programs and now want to do changes. Now Win7 Pro is not allowing me to open gpedit.msc
    Please advise how to do that?
    The computer is standalone machine and it is not connected to any network or domain.

    Urgent Help required.

    Thanks in advance.


  24. Jawwad on August 8th, 2012 at 7:13 am

Leave a Reply