GPEDIT Lock down help

I am currently supporting 12 remote locations who just log into citrix via internet explorer. Our users can not seem to understand that they do not log into the domain with there main account but our account called citrix. I am looking to completely disable their ability to log off, switch user, restart, shut down, lock, sleep and hibernate. I enabled some features in gpedit and currently I am left with lock and log off. Is there anyway to get rid of those two also. I tried to edit the registry to get rid of them and had no luck also. If I could disable the entire start menu it would be even better. I just need the desktop to have a single internet explorer icon on it. Any help would be great. All machines are windows 7 professional x64. Thank you

xndrxw said:

........If I could disable the entire start menu it would be even better. I just need the desktop to have a single internet explorer icon on it. Any help would be great. All machines are windows 7 professional x64. Thank you

I'm not sure that I totally understand your situation, but you can replace the explorer shell with internet explorer and have IE go to the page of interest. See the video for info on how to do that. Doing that gets rid of the desktop, taskbar, start button.....

Be sure that you can use remote registry to put the explorer shell back.

Be sure that you can restart these remote computers via a tool like psexec.

You could have these computers set to automatically log on the user named citrix

Use group policies at the user lever to prevent IE from being shutdown
(alt-f4 will not close that window either)
User Configuration >
Administrative Templates >
Windows Components >
Internet Explorer >
Browser menus
File menu: disable closing the browser and Explorer windows

And it sounds like you have already enabled all 4 options under:
User Configuration >
Administrative Templates >
System >
Ctrl+Alt+Del Options

You might have done this too:
(I did not enable this so I could restart in the video):
User Configuration >
Administrative Templates >
Start Menu and Taskbar
Remove and prevent access to the Shut Down, Restart.....

And at the computer level:
Computer Configuration >
Administrative Templates >
System >
Logon
Hide entry points for Fast User Switching

A system setup like that will look like this when it starts:

BTW, I think that I figured out how to get rid of the last two one items (lock and log off) that you mentioned, but you did not specify where you were seeing them.

User Configuration >
Administrative Templates >
Start Menu and Taskbar
Change Start Menu power button
Set the power button to "Lock".

User Configuration >
Administrative Templates >
System >
Ctrl+Alt+Del Options
Remove Lock Computer
Will disable (but not always hide) "Lock".
When a user clicks on Lock - nothing happens.
Lock will still show on the power button and on it's menu...
...but nothing happens when you click on it.

Edit: spoke too soon - doing the steps above moves log off to the power button's menu :-(

xndrxw said:

...The only problem would be if another user, not someone using citrix as their login would try to get into the machine. Would it still launch into the kiosk mode or would it actually launch a normal desktop?...

I cannot tell from your original post or from that sentence & question above - if you want other users to be able to use the computer normally or not.

In the setup that I showed, it will always be a kiosk. Once you replace the shell, there is never an opportunity for another user to log on. The computer must be set to automatically log on one user. It becomes a computer dedicated to one simple task. It won't be good as a normal computer until you put the normal shell back.

xndrxw said:

...Also I am going to be trying to deploy this starting next Tuesday across about 100 machines so I need something somewhat fast to do. So could I write up a .reg file to make the kiosk change in the registry to simply things?

You could, but I would not fan it out without testing it in one or two locations for months - with a variety of users.


I've not had any personal experience administrating computers in this kiosk mode. I've only seen it done at a college (using XP). And of course, the challenge then became attempting to crash IE - which makes the kiosk useless until it automatically rebooted each night via the bios.

Hmm. Maybe I can have IE launch automatically in full screen and not allow it to be shut down. The biggest problem is that users are logging out of one account and into their own and trying to pull their profile remotely will sometimes take up to 2 hours. The account I created "citrix" has nothing in the profile and logs in right away. It seems like any precaution I put into place a user finds away around it. The kiosk mode will defiantly work for our systems setup for video conferencing and I will be testing that out as soon as I return from the remote offices.

xndrxw said:

Hmm. Maybe I can have IE launch automatically in full screen and not allow it to be shut down. The biggest problem is that users are logging out of one account and into their own...........

You do not want to let the Explorer shell launch and then launch IE. Once Explorer launches, then all sorts of things have to be locked down (like you tried). If you let the Explorer shell start and then start IE full screened, I think that users can still "Alt-Tab" to get to the desktop. Then they can log off & thus try to log themselves on.

If you replace the Explorer shell with IE - then there is no desktop (Start Menu) to "Alt-Tab" to - so most of those lock down issues go away.

-have fun
-let us know how this turns out