Thursday, March 7, 2019

Restricted windows logon for kids - browser kiosk

Whenever kids seem to want to use the computer for homework or studying, they quickly drift off into other activities and develop super senses to hear the coming of a parent in order to click all the non-study related content away.  So I looked into possible ways to restrict to specific sites or apps.  Lets assume we're looking at restricting kids to only access Khan Academy for study courses, videos and exercises.  With mobile devices, some have kids modes, where you can restrict the interface to only a few specific applications.  I know the ASUS zen interface has this option under settings->advanced for android devices.  But if the kid doesn't have such a device, but does have a windows machine, you can do some work to limit what can be done on it.

The following is a rough template for setting up windows 10 home with a restrictive logon.  Other windows OS's may work well with most of these steps.  I'm not going to dumb it down into all the specifics of how to do everything with screenshots.  If anything gets confusing, google it.

1) Create a new child account in the family.  Configure it as you wish in terms of time restrictions and application restrictions, but ensure the chrome web browser is an allowed application.  As an added restriction to internet access, you can set up allowed websites in the Microsoft family website.  Leaving this blank will block everything, at least for use within internet explorer.  For family management to work properly, you need to ensure diagnostics is turned on.

2) install chrome, if you haven't done that already.

3) Log on as the new child and open up chrome.

4) Install the extension xTab and configure it for a maximum of one tab.  This will prevent any open in new tab and tab switching. You can add any other security extensions that you want for additional privacy and security (ex: adblock, privacy badger, etc).

5) Switch users to an administrator/parent account

6)  Create an html file somewhere on your machine, let's call it home.html.  This file needs to be accessible to the child account, however for best practice, it should be in a folder that the child does not have write access to.  Lets say you create a folder name c:\shared, and set permissions on it to allow the child read and execute permissions. 

If you want to have more than one site available, then add additional a href lines pointing to those sites.

7)  Create a batch file in this shared folder as well.  Lets call it chrome.bat.  Put this in the content

@echo off cd \"Program files (x86)\Google\Chrome\Application\" start /wait chrome --kiosk --chrome-frame --allow-file-access-from-file file:///C:/shared/home.html shutdown /l

This batch file runs chrome in kiosk mode and holds chrome in the foreground before running the "shutdown" command with the logoff option.  This will cause the account to logoff as soon as chrome is closed with "alt-f4"

8)  Switch back to the child account's logon.

9) open task scheduler from the start menu, and go to Task Scheduler Library.

10) right click that and select "Create task".  Give it a name.  Go to the triggers tab, click new.  At the "Begin the task" pull down, select "At log on".  If the "specific user" option is available, make sure to select only the child account.  Leave everything else as default and click ok.  On the actions tab, click the browse button, and navigate to c:\shared\chrome.bat.  Click ok.  Go to the conditions tab and uncheck all the power options.  Go to the settings tab and uncheck "stop the task if it runs longer than".  Click ok to save the task.

11)  Open up registry editor.  Go to HKey current user -> Software->Microsoft -> Windows NT-> currentversion -> winlogon.  If there is no value called "Shell", create a new REG_SZ value with the name "Shell" and value of "rundll32".  This will prevent the default windows explorer interface when the user logs on.  There will be no start menu, desktop or task bar.

12) In the child's chrome instance, go to settings, set "show home button" to enable, and set the home button value as "file:///C:/shared/home".  This will allow the child to use "alt-home" to get back to your custom html file in case you have more than one site listed.  It will save a lot of going backwards to get back to the original start page.

13) Switch back to your parent/administrator account.  Open registry editor.  Go to HKEY local machine -> Software -> Microsoft -> Windows -> CurrentVersion -> Policies -> System.  Look for a registry key called "DisableTaskMgr".  If that is present, set the value to 1.  If it is not present, create a new REG_DWORD with that name and set the value to 1.  This will disable the task manager option from the ctrl-alt-del menu.


That should complete the set up.  Logoff of the child account and log back on.  You should get a chrome window opening automatically, with most of the buttons and menu options missing.  Keep in mind that the browser can still get to any site is linked from any of your listed where's that you give them. So if they can get to a search engine, they can get anywhere.  You can find addition chrome extensions that block specific sites. So, those can be used to limit certain pages. YouTube blocks by these extensions can allow embedded video and still prevent direct YouTube access by right click to view on youtube. That is another potential way to break out of this limited mode.

No comments:

Post a Comment