Locking a Computer Down to only one website?

I am looking to put a touchscreen laptop (running Windows 8) into a store that the public will be able to access. I want them to only have access to one website that I set. I do not want the domain shown but the program must have access to the internet (they will be able to make purchases from this in store computer via my site). How do I go about locking down the computer and browser to access only this one program/site?

Note: I am open to any browser as long as it will full access to the site. The laptop will be connected via WiFi to the internet.


There's a few parts to this, I've tested independant elements but not the whole setup together. Doing this on a seperate, limited account would be a smart thing.

Set up family safety on this account, and enable only whitelisted sites to be accessed.

enter image description here

You want to set up a site specific browser. Chrome allows this - through create application shortcuts (see image below) but there may be other options. I'm not sure if the links chrome generates can be fed right into the next part of this process. Might also want to test this kiosk mode spinoff of firefox

enter image description here

You will want to set up kiosk mode. To do this, you'll need the group policy editor, accessible via running gpedit.msc. I used the instructions here as a base. go to Configuration -> Administrative Templates -> System, and open the Custom User Interface option.

enter image description here

enter image description here

You will need to supply the complete path to the site specific browser

disable the three fingered salute so someone can't use that to kill the browser.

That should cover most of the bases unless I missed anything. Some testing may be needed, naturally, especially with getting the site specific browser started as a shell.


There's one way I can think of which wouldn't require any additional expenditure, but it's a bit of a hack and not exactly foolproof...

Basically you could give your laptop a static IP address. Make sure it is in the same IP subnet as your router, but outside of the range of the router's DHCP scope. For example if your router gives out IP addresses in the range 192.168.1.100-150, you could statically assign 192.168.1.50-59 for your laptop. Obviously the default gateway will be the IP address of your router.

When you assign the IP address, do not enter any values into the DNS Server fields. Without DNS the laptop will be unable to resolve websites to IP addresses and therefore your clients will be unable to surf the internet.

If you want your machine to be able to access only one website (as you indicate), then you could add that website to the local hosts file on the PC (found in C:\windows\system32\drivers\etc\hosts on - open this in Notepad and append the website and corresponding IP address into the file). The laptop would then be able to resolve the web address for this one site, and browse it accordingly while still being "blocked" from the rest of the Internet.

If you then want your laptop to be able to fully access the Internet, all you have to do is to enter the correct IP values for your DNS servers into their TCP/IP settings.

Obviously a technically savvy customer could add their own entries into the hosts file, so the solution is far from perfect.

All in all it would probably be better to splash out some money on a router with a more flexible firewall set, but if you're looking for a cheap fix, the above might help.

Another way to do this, is using Group Policy. Just set the PC to use a fake proxy server (I used 127.0.0.1) then list the site you want to allow under exceptions. That should work as long as users don't use another web browser besides Internet Explorer.

Hope this helps.