Enforcing Kiosk mode via GPO or other methods RRS feed

  • Question

  • Hi,

    I'm trying to set up client workstations (Vista) that will run IE in kiosk mode and nothing else. I need a way to restrict all keyboard shortcuts (for both IE and Windows) and any other tricks that may let the user break out of kiosk mode, open another window, run a command etc. I want to empty the start menu, remove all icons etc, and have IE launch in kiosk mode on startup. There are also a few configuration settings that need to be done on a per-user basis, such as installing certificates, that I need to enforce. I would like to do this with GPOs as much as possible, but I've been led to believe I may need to use profiles or startup scripts for some of what I wish to do.

    Users will have domain accounts, and may use any available workstation. Nothing sensitive should be stored permanently on the workstation. Domain is at 2008 level, with Server 2008 SP1 DC, other 2008 SP1 member servers, and all clients running Vista SP1. The SSLF is enforced for baseline security, but I now need to customise it for use with IE in kiosk mode.

    I'm not sure of the best way to go about this, as some of the settings (keyboard shortcuts) I think are user-specific registry settings, but I don't want the user to have the ability to edit the registry, so I think this precludes logon scripts.

    Any help or advice appreciated,

    Tuesday, August 18, 2009 10:45 AM

All replies

  • You can replace the standard Windows Explorer user interface with Internet Explorer running in kiosk mode. The Internet Explorer kiosk mode removes menus, title bar, status bar and the toolbars. The end result is that Internet Explorer runs in full-screen mode without any scroll bars, menus, or an address bar. Students will only be able to click on the hyperlinks on the internal Web site to limit their browsing. Since you have some links pointing to external Web sites, they will still be able to access those URLs.

    Enabling Kiosk Mode on Computers in a Domain
    Internet Explorer Kiosk Mode can be enabled using a Group Policy setting if the computer is part of an Active Directory domain. Here’s the step-by-step procedure.

    1. Open the Group Policy that you want to apply to the students.
    2. Go to User Configuration\Administrative Templates\System.
    3. Double-click on Custom user interface and select Enabled (see Figure 1).
    4. In the Interface file name box type "c:\program files\internet explorer\iexplore.exe" -K.
    5. Click OK and close the Group Policy console.
    Custom user interface properties---should be enabled.
    Interface file name-
    On the field you should type this settings: "%ProgramFiles%Internet Explorer\IExplore.

    it’s a good idea to look at other configuration settings that will be useful in your situation. Apply other restrictive policies in the following locations when you enable Internet Explorer kiosk mode:

    [Computer Configuration\Administrative Templates\Windows Components\Internet Explorer]
    [User Configuration\Administrative Templates\Windows Components\Internet Explorer]


    Regards, NA


    • Proposed as answer by Letsielo Thursday, September 2, 2010 8:14 PM
    Friday, January 22, 2010 4:38 PM
  • One thing I found helpful (but not documented in many places) was how to use Group Policy Preferences for this. I had to setup a few kiosk machines and documented the whole process. That guide can be found here:


    If my answer helped you, check out my blog: DeployHappiness. Subscribe by RSS or email. 

    • Proposed as answer by YogersonF Monday, November 17, 2014 7:43 PM
    • Unproposed as answer by YogersonF Monday, November 17, 2014 7:43 PM
    Tuesday, August 13, 2013 7:37 PM
  • I had a bonus question that this answer helped me on, although do not forget the -K in step 4 or it won't work!!!
    Wednesday, February 27, 2019 8:25 PM