Is there any way to restrict access to the OS when FactoryPMI is running in full-screen mode? Having a view client in an office-type environment, or using full screen on a touch-panel is fine, but in a control room it is usually necessary to have a keyboard. It is then necessary to restrict the capabilities of the account used to run the system.
This is a point which a couple of prospective customers have raised. Has anyone else come across it?
One thing that always comes to my mind when this question comes up is the use of linux on the client machines. I keep thinking it would be cool to put together a live cd linux distro that removes all frivolous apps and just has the base essentials to run FPMI (specifically java and probably a browser to launch from). Of course, if you ignore the stripped down aspect, you can just go grab a livecd distro like ubuntu right now and use that.
I know that technically speaking this isn’t really answering your question, as it’s still a full os that can browse the internet, play games, etc. but there are a few additional benefits that make it worth considering:
“Security through obfuscation” - first off, most users aren’t going to feel nearly as comfortable facing a linux desktop as a windows one, so as long as you make it easy enough to actually get back in the client (big icon in the middle of the screen, only one on desktop, gateway as homepage of browser) you’ll probably get a long way towards your goal.
LiveCD = no install, easy recovery. Turn any computer into a terminal simply by booting up with the cd in the drive.
No need for windows = $$$ saved. No need to pay for windows when FPMI clients will run perfectly fine under linux, and you don’t need the “user experience” of windows.
Already mentioned, but worth it: FactoryPMI clients work great in Linux, as long as Java’s installed.
I’m interested in hearing what others think about this. I’m also interested in any suggestions people have for securing down windows clients.
The best you can do is run it in full screen mode, and remove all ability to exit the application. This works well for the casual user.
But, of course, if you have a keyboard, a user can still use ALT-TAB and CTRL-ALT-DELETE. Windows applications (Java included) cannot trap these keyboard combinations, so if you’re using windows, your best bet is to remove access to the keyboard and have them use the on-screen keyboard. There may be some 3rd party Windows keyboard driver mechanism to disable these keyboard combos on a per-user basis, but I’m not aware of them.
Good luck.
[quote=“Carl.Gould”]The best you can do is run it in full screen mode, and remove all ability to exit the application. This works well for the casual user.
But, of course, if you have a keyboard, a user can still use ALT-TAB and CTRL-ALT-DELETE. Windows applications (Java included) cannot trap these keyboard combinations, so if you’re using windows, your best bet is to remove access to the keyboard and have them use the on-screen keyboard. There may be some 3rd party Windows keyboard driver mechanism to disable these keyboard combos on a per-user basis, but I’m not aware of them.
Good luck.[/quote]
You forgot ALT-F4
Yeah, I did. And all of the various windows-key shortcuts. Keyboards are dangerous things…
I’ve now Googled this question a bit. The short answer seems to be that trapping Ctrl-Alt-Del in software required the replacement of gina.dll, one of the core parts of Windows. This would also rather ruin the thin client approach of FactoryPMI.
Taking an alternative approach, all the key combinations that I know use either Ctrl, Alt or the Windows key, which I wouldn’t normally need for an HMI. Hand me that cheap keyboard and that big pot of glue…
Hello All,
Has there been any “new” movement on this wave? I also have a customer that is asking if I can lockout the operators from entering the WinXP OS. I already removed the EXIT from the menu, but put a button on an admin page to leave the app if necesasry.
Any luck on the 3rd party app stuff before I spend Google-Time?
Thanks,
Adam
Not that I know of. You could always use Linux 
.
It might be possible to enforce that sort of thing via Windows Group Policy. I’ve set up systems that are “only allowed” to run certain applications. This is really a lot more painful than is practical unless you literally only use the terminals for one thing.
Alternatively, you could check out “Key Trapping” applications or those designed to lock users out from doing anything - they usually replace explorer with a custom shell. Your best bet would probably be to buy a cheap one that you can download as a trial first. I remember such a setup at a school. It was effective enough, but you could do things like run applications in VBA script from a Microsoft Office macro, etc.
My opinion is that, in most cases, this is a user education process. Do you have a compelling reason to need to really prevent OS access? If there’s an easy shortcut to get back in your HMI, how bad could it be if operators want to close it? Don’t want them playing Solitare? Uninstall it. There isn’t any installation/configuration that you’re trying to protect in FactoryPMI. All that said, I’ve been personally interested in creating a custom Knoppix build that boots entirely from a CD and loads a FactoryPMI project automatically in a closed environment. Likely to get started anytime soon? Not really. 
I’ve had some success with the following free app:
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
This can set things up on a per-user basis and is much easier (imo) than Window’s Group Policy Editor.
thanks for the feedback, guys. I know it is sort of a training issue, but as I am sure you are aware, most customers want the perfect system that is what I like to call “STUPID PROOF”.
I will look at the app that AlThePal suggested. I can also push this off on their IT department. 
Thanks again…
I know there are third-party apps that can protect the desktop like you wish. My company uses a lot of Rockwell software, and they provide a tool called DeskLock with their HMI runtimes. I don’t think it needs any licenses, so if you happen to have an RSView disk laying around, you can try installing it.
I also found a program (with source) here: codeproject.com/KB/winsdk/An … nLock.aspx
I haven’t tried it, but it seems to do what you want.