One website only

[jogold]

How do I setup Win10 home to allow access to one website ONLY. Nothing else is allowed to work.
(win10 pro will allow kiosk but that still wont lock edge to one website only)
Thanks

 

[Sky-Knight]

I'll take things that aren't really possible for $100 Alex.

You can use a UTM with a content control system. You can tweak host files, you can configure firewalls. But nothing you do will stop everything. And if you attempt to enable the things you must to allow for patching you're opening up Microsoft's CDN which has a TON of other stuff in it.

You can highly restrict the web, but limiting access to a single site in a way that allows that site and all attached assets is incredibly difficult in a world that uses CDNs for everything.

 

[jogold]

Basically I need to allow access to an online payment platform website only.
But thanks for saving me the wasted time I would have spent looking for a solution.
I'll need to go with Win 10 pro and get a webfilter like quostudio to control the online access.

 

[glricht]

If you limit a machine to one website and one website only, how will Windows itself get updates? Or updated printer drivers? Or ...

 

[jogold]

If you limit a machine to one website and one website only, how will Windows itself get updates? Or updated printer drivers? Or ...

The machine is to be used to access a payment portal site. (it might need access to the behind the scenes sites that power the portal page but that's all)
No printer or anything else is attached and Windows updates I can manually do when I want to.
I just can't allow the people accessing the machine to use it or anything else at all.

 

[NviGate Systems]

There used to be Kiosk software that would lock machines down like you mentioned, but I'm out of the loop, last time I saw them was in Windows 7/8 days but not sure with 10, as Microsoft has changed so much under the hood.

 

[mikeroq]

Does this payment provider have an android or ios app? Might be better to have a locked down tablet instead of a full Windows computer.

 

[Porthos]

 

[jogold]

Thanks, that's what I'll do.
just to add
iexplorer.exe-settings-connections-lan settings and even if you're not an admin you can change the proxy settings.
You need to edit the registry to block that.

 

[Sky-Knight]

The above doesn't work, and is trivially bypassed by Chrome because it doesn't need admin to "install". Firefox has a similar operating mode. Both can easily be configured to ignore the locally configured proxy. The only browser that enforces that use is IE, even New Edge can be configured trivially by a normal user to ignore it.

Furthermore this process breaks windows updates... so good luck with that.

This is the worst kind of "security", the false kind. Bypassed by a user with a USB stick, and an EXE. Though I suppose if you're using this on a system that's physically installed in such a way as to prevent any sort of storage attachment you might just get away with it. Just don't forget to add windowsupdate.com to the mix... and whatever else Microsoft uses these days, so you can update the poor thing.

 

[jogold]

Chrome and Firefox won't be installed and Edge tampering can be blocked by registry edits.
Actually Edge can be easily controlled by Microsoft Family. iexplorer less so.
Windows updates can be done manually (or not at all as far as I'm concerned).

 

[Sky-Knight]

Chrome and Firefox won't be installed and Edge tampering can be blocked by registry edits.
Actually Edge can be easily controlled by Microsoft Family. iexplorer less so.
Windows updates can be done manually (or not at all as far as I'm concerned).

And now we know why cryptos can eat entire companies all at once...

 

[jogold]

Gimme a break. It's a standalone system that is going to be used for people to access a single website so that they can donate money.
There is no network (other than the www via a sim card), there are no open usb ports or anything other than a screen, kb and mouse connected.
Cryptos eat entire networks because people click without thinking. And because net admins can't imagine how stupid and irresponsible people will act. There is no cure for stupidity and irresponsibility.

 

[Sky-Knight]

@jogold No, but there's no way you can make the claim that anything approximating due diligence was paid when you operate a machine without updates that's connected to the Internet.

Any connection AT ALL... it gets patched. Double true if it's something that's accepting CC details because now PCI compliance is involved and not only patching, but monitored AV is LEGALLY REQUIRED. And that's here in the states. I cannot imagine your legal requirements on that across the pond are any more relaxed.

 

[britechguy]

There is no cure for stupidity and irresponsibility.

And, heaven knows, companies have tried and tried and tried to train their employees to employ a few, simple practices that would stop the vast bulk of this stuff cold. All it takes is the one person who decides, for whatever reason, "Oh, I'll just do this {insert stupid thing} here this once."

Consistency in using safe interaction practices for cyberspace are pivotal. 99.99999% of these disasters can be traced back to someone doing something blatantly stupid. And ya' can't fix stupid.

One of my all time favorite quotes, which came from one of Arthur Block's books of variants on Murphy's Law:

Nothing can be made foolproof because fools are just too darned ingenious!!

Sadly, their ingenuity is virtually always something that ends up in damage.

 

[britechguy]

No, but there's no way you can make the claim that anything approximating due diligence was paid when you operate a machine without updates that's connected to the Internet.

And, I'll hasten to add, on this point we are entirely in agreement. Nothing touches cyberspace that is not patched to the most recent level available.

 

[NJW]

It's a standalone system that is going to be used for people to access a single website so that they can donate money.

I understand what you're trying to do, but I can't see it being practical. I certainly wouldn't put my card details into such a system.

Have you though about a printed poster with a QR code directing to the donation site? Far fewer overheads and donors use their own devices (and data plans). Not as 'high tech', but less opportunity for things to go wrong. If you want to tart it up a bit, have a slideshow running on an offline RPi.

 

[nlinecomputers]

This is a problem that can be solved with a sign and a QR code Pointing to the URL of the website. Let the clients use their own cell phones not a risky kiosk. The other option is to not use Windows. Linux on a raspberry pi.

 

[nlinecomputers]

I understand what you're trying to do, but I can't see it being practical. I certainly wouldn't put my card details into such a system.

Have you though about a printed poster with a QR code directing to the donation site? Far fewer overheads and donors use their own devices (and data plans). Not as 'high tech', but less opportunity for things to go wrong. If you want to tart it up a bit, have a slideshow running on an offline RPi.

We think alike. Made my post before I saw yours. Lol

 

[britechguy]

We think alike. Made my post before I saw yours. Lol

From an implementation perspective, I'm absolutely with you and @NJW.

What would be interesting (and will never be known, I know) is whether a static presentation like a poster with a QR code versus some more "interactive" interface would result in any significant difference in donations.

When you're seeking "free money" these considerations can matter quite a bit. And it's just amazing what can drive behavior.