Set proxy for local users via GPO

AaplMike

11/16/23, 12:12 AM

I have been tasked a) to create a kiosk machine and b) configure it so that users can only visit certain internal sites, and no external sites.

Assumptions:

Windows 10 machine, part of domain
Local Kiosk mode, with passwordless, auto-login "Kiosk" user

For a) I'm using the Windows Kiosk Assigned Access option, which can create a local user Kiosk and has the option of running in browser mode. This is what I've chosen, and that part works fine. However...the user can browse any web site.

For b) I've spun up a squid proxy server and successfully configured it to only allow users to browse the sites they're supposed to. When I log into the machine as an AD admin, I can set my proxy settings and achieve the expected result: I cannot browse any site unless it's specified in squid. Perfect.

The last hurdle is how to enforce a proxy for the local Kiosk on that machine. Windows set up the kiosk user as a no-password, auto-login account (which conveniently ignores the GPOs on that machine which expressly enforce password length and complexity settings), and as such, you really can't log into that user and set it's proxy values without first disabling kiosk mode, creating a new local user, then setting the proxy. That would by okay, except due to our org's GPOs, you can't create a local user with no password.

Anyhow, The closest I can find from the GPO side is User Configuration -> Preferences -> Control Panel Settings -> Internet Settings -> Internet Explorer 10 -> Connections tab -> LAN Settings (ffs) -> Proxy Server. There I set the address and port of the proxy server.

Since I'm pretty sure this would only apply to users in the DOMAIN, and not the LOCAL Kiosk user, I also added Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer (I hope this covers Edge since that's what the kiosk app is) -> "Make proxy settings per-machine (rather than per-user)."

I restarted the kiosk server and when logged in as my AD admin, I can run gpresult /scope computer /v and see that the policy was applied and is there. Yet, when I log in as the kiosk user, I can still browse to my heart's content, so that didn't work at all.

Any ideas on how I can push setting the proxy server so that it is ALWAYS set for all LOCAL users? Do I need to do this via some regedit magic?

thanks in advance.

559

0 + 0

active-directory

group-policy

windows-10

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Set proxy for local users via GPO

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.