Home > Surfing Area

Surfing Area

Restricting the surfing area means that it is up to you to determine which websites and which local files are accessible to the user.

You can either allow or deny access to certain pages or URLs or allow it after authentication.


You may find this feature helpful, for example, if you are at a trade show and want to limit access to your own pages or to those of your partners.

Note:
If you want to block content you consider to be harmful to children or young people, you should use our Content filter.
1. URLs/paths

Before you continue reading this section, please be warned to use caution when configuring the surfing area as you may otherwise end up allowing access to more content than you had originally intended.

WARNING:
If possible, make sure to never include
an * in front of the first dot (e.g. *.myPage.com or *://www.myPage.com) and always finish with the slash (/) at the end of a domain name, as users will otherwise be able to circumvent the surfing area by using an @ or the # sign, for instance http://www.yourpage.de@www.google.de.

When specifying the domain, do not use the wildcard character (*) other than for top level domains and finish by attaching the slash (/) to the domain name, e.g.
www.myPage.*/

If you are using the wildcard character to allow domains (www.myPage.*/) the slash at the end will not be sufficient to block @ and #. Please add www.myPage.*@* and www.myPage.*#* as blocked entries.

If you have entries like www.myPage.*/ and *Page*, the one with the most similarities with a visited domain will be applied. When someone visits www.myPage.com the entry www.myPage.*/ will therefore be applied.


When you enter a domain name, this entry will also apply to all subdirectories. For instance, if you allow http://www.cnn.com/, access to all pages whose addresses are preceded by http://www.cnn.com/ will be granted as well. Consequently, http://www.cnn.com/WORLD/, for instance, would be permitted as well.
You can also make use of wildcard characters "*.", for instance:
www.cnn.*/
In this case, http://www.cnn.de/ would be covered automatically as well. The same applies, of course, to top level pages, e.g.
*.com/
would only admit pages with the top level ".com/".

Of similar importance is the depth of your definitions. As an example, an entry permitting
www.webserver.com/*
will grant access to such underlying directories as www.webserver.com/yourfolder1/yourpage.htm. However, you may want to define exceptions to a certain file. An additional entry that would, for instance, forbid
www.webserver.com/yourfolder2/*
would grant access to, www.webserver.com/yourfolder1/yourpage.htm, but would deny access to www.webserver.com/yourfolder2/yourpage.htm.
1.1 Example 1:
Grant access to your homepage, but forbid all other URLs.
  1. Click on Add.
  2. Select the appropriate protocol.
    Please note that an admitted URL starting with http:// will not automatically release https:// sites on your server as well.
  3. Enter the desired URL, e.g. "www.yourcompany.com/."
  4. Click on the radio box "Grant access to URL."
  5. Click OK.
  6. Click on the radio box "Access to other Internet addresses: denied."
1.2 Example 2:
Deny access to competitor's homepage, but admit all other URLs
  1. Click on Add.
  2. Select the appropriate protocol.
    Please note that an admitted URL starting with http:// will not automatically release https:// sites on your server as well.
  3. Enter the desired URL, e.g. "*.competitor.*/."
  4. Click on the radio box "Deny access to URL."
  5. Click OK.
  6. Click on the radio box "Access to other Internet addresses: granted".
1.3 Example 3:
Allow access to a website after authentication.
  1. Click on Add.
  2. Select the appropriate protocol.
    Please note that an admitted URL starting with http:// will not automatically release https:// sites on your server as well.
  3. Enter the desired URL, e.g. "restrictedarea.yourcompany.com/."
  4. Click on the radio box "Allowed after authentication."
  5. Click OK.
  6. Click on the radio box "Access to other Internet addresses: granted".

2. URL lists as a text file

You have the option of having SiteKiosk use one or several lists of external URLs instead of adding URLs individually to the surfing area.
Note that the content included on these lists will then be fully allowed, forbidden or accessible upon authentication.
You can save these lists in .csv or .txt format. Each line of a file can contain one URL. Wildcard characters are admissible. Example:


http://www.google.com/
http://*.cnn.com/


It must be possible to access the external URL lists using the selected protocol, as SiteKiosk will otherwise not load these lists and only apply the available rules.

This allows you to easily manage the lists in a central location and conveniently make them available to several terminals at the same time.



3. Allow other URLs within the frame structure

On web pages with a frame structure, the content of external web pages can be displayed in the window of the main page.

As soon as you check this box, the loading of external content within a frame will automatically be allowed (assuming it is allowed in accordance with the permitted domains). This means that the display of the external URL will be allowed as long as the external URL is within the "permitted" URL zone. However, the display of the external URL will be forbidden whenever the user tries to load it in the address bar.

4. Authentication

If you add a URL that is only accessible after authentication or only allow access to all other Internet addresses after authentication you need to configure additional authentication options. Please click on the Settings button to make these adjustments.

Note:
This feature is not available when using the Chrome browser engine.


5. Default button

You will find that the URL list of the surfing area is already populated with a few entries. For security reasons, you should leave them on the list in order to protect your systems from outside attacks (e.g. through a file:// link on a website). . This is necessary due to the fact that 99% of all users will install SiteKiosk in the default directory and, therefore, make it easier for resourceful hackers to anticipate the internal file structure of SiteKiosk.

If you deleted or edited default entries, you can use the Default button to restore the basic configuration. This will also reset all entries that you added to the list.

The deny-access entry "$(SiteKioskPath)\*" represents SiteKiosk's installation directory and will prevent SiteKiosk's installation directory from being accessed from the outside.
As long as there is not an additional entry including a longer path, access to all subdirectories will be denied as well. However, the following entries will partially lift this restriction:
The entries "$(SiteKioskPath)\html\*" and "$(SiteKioskPath)\skins\public\*" will grant access to the corresponding subdirectories of SiteKiosk's installation directory. This is essential for SiteKiosk browser themes to function properly.


6. Tips and recommendations
  1. If using local HTML pages (file://) stored in the SiteKiosk directory, you can also set $(SiteKioskPath) as a variable for the main part of the path (instead of, for instance, c:/program files/sitekiosk). This will particularly helpful if you want to use one configuration on several machines on which SiteKiosk may have been installed in different directories.
  2. Beware of URL redirection
    While you may deny access to http://www.newsweek.com/, you will, in fact, not prevent the website from being displayed as the URL will be redirected to "http://www.thedailybeast.com/newsweek.html.". It is therefore important to note that only the URL in the address bar will be permitted.
  3. Be aware of the protocol you are using
    If you admit a URL using the protocol http://, you will not automatically admit URLs using the protocol https://. Banks in particular have many pages that begin with the protocol "https://." Be sure to allow "https://" pages, provided that they are available.
  4. Wildcard characters (asterisks)
    Simplify your entries by using a wildcard "*". The asterisk is a replacement character. If you use, for example, www.sitekiosk.*/, www.sitekiosk.com + www.sitekiosk.com + www.sitekiosk.net will be admitted as well.
  5. Restricted surfing area and PowerPoint files (PPT)
    If you keep your Windows/Office updated, users should not experience any difficulty using PowerPoint/PPT files. If you do run into problems, however, one alternative is to save the PPT file as an HTML presentation in Office and specify the file "fullscreen.htm" as your starting URL.
  6. Use the Content filter if you want to block access to content that is forbidden by law.
  7. If you restrict access to, for example, "page.html," embedded objects might not be displayed. If you enable Log files (and maybe the debug output window as well), you will be able to tell from the log files which objects were blocked as a result of your settings.

See also

Welcome
New Features
Scope of Supply/Installation
Support
System Requirements
Demo Version Restrictions
Registering SiteKiosk
PROVISIO Contact Information
Remote Monitoring (SiteRemote)
Guide for First-Time Users
Password
Start Page & Browser
Screensaver
Logout
Applications
Print
Email
Files & Downloads
Input Devices
Maintenance
Access/Security
Logfiles
On-Screen Keyboard
Content Filter
Telephony (SIP)
Payment Devices
Customization (Skins)
System Security Manager
OpenSource Components
About


Back to top