0

Is there some way in Windows 7 to allow restricted functionality - for example just a browser running - when the normal user has either locked their computer or has logged off.

The scenario I have in mind is that in-store, we have some PCs that are used by staff to assist customers. When they are not using the computer - i.e. when they have explicitly logged off, or have walked away and locked their computer - customers should be able to browse our website.

Obviously, when the staff member comes back, they should be able to unlock or log on and continue working.

It seems to me as if it could be done in two ways

  1. When the user logs off, the computer should automatically log in to a restricted account which only allows access to the browser. A bit like autologin, but not just at system startup but at any time no one else is logged in.

  2. When the user locks their screen, the computer should launch the web browser, again in some sort of restricted mode. Maybe triggered by the same mechanism that would start the screensaver, but obviously one that would allow the use of keyboard and mouse, and would have a key combination that would let the staff member unlock the computer

Any suggestions?

Improve this question
5
  • 1
    I'd say that "just a browser" would not qualify as restricted
    – Hagen von Eitzen
    Commented Aug 15, 2013 at 15:35
  • Agree with @HagenvonEitzen ! A web browser lets you do much more than you would expect, including accessing files, running programs, executing arbitrary JavaScript (which can use computation resources on the machine to do interesting things, or make web requests to other computers), and so on. You'd need to carefully audit the capabilities of the browser you chose, which is a separate and more complicated problem from the one you're asking about (running a program under a guest account upon logoff/lock screen).
    – allquixotic
    Commented Aug 15, 2013 at 15:45
  • Thanks for the comments. Let's assume that all good practises will be in place to restrict what the browser can do and what the user can do. Obviously the emphasis of my question was not about restricted use from the security point of view, but restricted from the point of view of available options to the user. Please ignore the fact I used the word restriction. Imagine I said Reduced Set of Affordances instead!
    – Vihung
    Commented Aug 15, 2013 at 17:17
  • I would just offer a Kiosk mode. There exists software that will handle getting rid of files connected to privacy of the customer ( automatically clear their cookies, ect). Your unlikely to find a solution to automatically switch to this user mode of course. You can also handle this without user and provide a locked down guest account with specific functionality.
    – Ramhound
    Commented Aug 15, 2013 at 17:40
  • To add to @Ramhound: I'd suggest something like starting a virtual machine that has no access to the host disks. For small kiosk machine images check thinstation.org (though their focus is more on PXE bootable systems)
    – Hagen von Eitzen
    Commented Aug 15, 2013 at 17:56

2 Answers 2

Reset to default
1

Leave the computer permanently logged in as a restricted user (maybe kiosk mode), but allow the staff to run a RDP or similar session from it.

You can get the remote session to disconnect automatically when not in use, or to run from within the browser, and even access to local computer resources, like scanners.

Improve this answer
1
  • This defiantly seems to be the best solution in my opinion, even if it's not exactly the answer that @Vihung was asking for.
    – Sawta
    Commented Oct 11, 2013 at 14:54
0

One could allow them to switch user, (a feature that works pretty well in Win7) and log into a highly restricted account that would be locked down with winselect (an awesome faronics product). Its just an idea, but should work, theres really only so much you can do with local policy.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .