Windows POS needs to be locked down

[thecompu-doctor]

Hi all, I'm sure there is a simple solution that I'm just having trouble sorting out. I have a customer that has a Point of Sales terminal that needs to have Internet Explorer locked down to just one domain. They don't want the staff surfing the internet. This is a windows 7 system not in a domain.

What is a good simple solution for this problem?

 

[phaZed]

You could setup a Proxy to loopback 127.0.0.1 and add a single exception using the advanced button (Internet Properties).

 

[thecompu-doctor]

That's a good idea. See I knew there'd be a simple trick. Sometimes you're too close to the problem to see a solution

 

[TurricanII]

Also remove the Connection tab in Internet Settings using Group Policy Editor:

http://smallbusiness.chron.com/remove-connection-tab-windows-internet-explorer-54922.html

I might also/alternatively consider putting an entry in the HOSTS file for the one good website and removing the DNS server IP address.

Also make sure that the business owner has communicated to staff that using the Internet on POS is gross misconduct/sackable offence. Put a sticker warning against Internet access on the POS - somewhere staff but ideally not customers can see.

Can you lock down the router/firewall too to limit access from that POS IP address to the one good website?

 

[thecompu-doctor]

Unfortunately I can't modify the router (long story).

 

[fencepost]

Are they supposed to be able to do anything else on the systems?

It sounds like what you may want is a Site-Specific Browser possibly also with turning the system into a Kiosk (search for many results).

 

[glennd]

Are they supposed to be able to do anything else on the systems?

It sounds like what you may want is a Site-Specific Browser possibly also with turning the system into a Kiosk (search for many results).

disable internet explorer through various means and set up chrome in kiosk mode. although i don't know if that will stop keyboard shortcuts from opening new tabs etc.

 

[LordIntruder]

See I knew there'd be a simple trick.

You're right. Search for PAC file at your favorite search engine.

But remember to close the possibility to configure anything in IE using gpedit after you configured it to use your pac file.

 

[thecompu-doctor]

ok, so I worked with the host file and had limited luck there. What I found when I got on site is that the software is a dining reservation software and the client computer doesn't need a browser at all. The software just needs to speak to the host server on prem. So I removed chrome, neutered Edge: http://superuser.com/questions/949814/how-to-disable-or-uninstall-microsoft-edge-in-windows-10 and then set the user account to standard (non-admin). While I know there are technically still ways to get around this, this was a simple "good-enough" solution for the client.