Requirements
Windows 7 Professional or higher. You can not do this with the home versions.
Steps to lock down the Kiosk Computer
How to lock down the computer basically leverages local Group Policy (although there is no reason you can’t do this in global group policy on your Windows Small Business Server 2008 machine) to allow users to only run certain applications. Thus preventing users from getting into trouble and lowering your total cost of ownership on that client PC (or your whole network).
If you have a shared or public computer you might want to allow users to use only specified programs. Today we take a look at a setting in Local Group Policy that allows you to set only specified programs to run.
First click on Start and enter gpedit.msc into the search box and hit Enter.
Navigate to User Configuration \ Administrative Templates \ System. Then under Setting scroll down and double click on Run only specified Windows applications.
Set it to Enabled, then under the Options section click on the Show button next to List of allowed applications.
A Show Contents dialog comes up where you can type in the apps you want to allow users to run. When finished with the list, click OK then close out of Local Group Policy Editor.
If a user tries to access an application that is not on the specified list they will receive the following error message.
This is a nice feature for limiting what programs users can or cannot access on the computer.
Thomas says
But afterwards you can’t get back into the Group Policy Editor?
Jared Heinrichs says
No. You should be able to get back into the group policy editor as long as you are an administrator of the computer.
Chris Eytcheson says
I just tried to get back into the editor and it won’t let me.
I am a Domain admin
Jared Heinrichs says
Have you tried logging on as a local admin? Sounds like you made the Group Policy settings too restrictive. If you still can’t get back on unplug the computer from the network. Go into safemode. There are tools you can download that will remove Group Policy restrictions (I like the “Geek Squad” CD for that) and then apply the settings you wish to have. Sorry for the late response. Just had a baby and we’re in the process of moving.
Timo Waltari says
Same thing happenned to me too. I was in local administrators group but nevertheless I was restricted from running anything else but word in my case.
It was easily fixed by launching mmc from remote computer in same network. Then I added snap-in “Group Policy Object Editor” which asked if I would like to edit local or remote computer. I specified restricted remote computers name and then I was able to modify restrictions.
Both computers were Windows 7 but I would believe that it goes same way with previous Windows releases.
Hope that this helps somebody 🙂
jeffl012 says
There are many security/kiosk apps out there that simplify the Group Policy editor. We use one called Secure Lockdown by Inteset. It eliminates the need to futz around with a billion settings. It’s perfect for Windows 7 kiosks (we use it with Windows 7 Premium).
Pronost says
Just change the NTFS file permissions on the file MMC.EXE to only allow LocalAdministrators or DomainAdministrators to execute the file and just add MMC.EXE to the list of allowed programs in the GPO.
Ron Decker says
Guys! Simply open MMC.EXE Add Group Policy Editor. Hit next. Then ADD it AGAIN only this time you will notice a tab at the top! Select Non-Administrators and THEN you can set your policies.
Using GPEDIT is GLOBAL. But not if you use it in the context I just mentioned
Good Luck!
Ron!
Jay says
Why not simply add a hot key combo to a shortcut to get back into mmc.exe
Gerallt says
You also need to add mmc.exe into the list of allowable applications if you want to get back into it. Otherwise you will need to locate the policy in the Windows Registry – if you have disabled the Registry Editor then you will have to use a 3rd party registry editor that relies on API calls to access the registry.
-GF
Ralf says
I use the parental protection for that. For each user you can setup the parental permission to run certain programs. A limited account should do the job.
Hope that helps.
Ralf
Jawwad says
I am stuck with this. I added programs and now want to do changes. Now Win7 Pro is not allowing me to open gpedit.msc
Please advise how to do that?
The computer is standalone machine and it is not connected to any network or domain.
Urgent Help required.
Thanks in advance.
Jawwad
Gustavo Valente says
Hi guys,
I managed to fix it through regedit in Safe Mode Command Prompt. Steps below:
1. Start in Safe Mode Command Prompt (it must be Safe Mode COMMAND PROMPT, or else regedit won’t start)
2. Type regedit on command prompt
3. Find the folder “RestrictRun”
4. Change the value of the key inside that folder to 0
Hope it helps!