Putting this in because I keep coming up with this from scratch. Might as well share with google. I think I remembered the important steps.

Debian web kiosk mode, with flash and java. For a simple kiosk leave flash and/or java out. For a keyboardless kiosk or display machine you do not have to perform steps 6.3 or 8. This is not especially hardened, but is suitable for environments where the machine can be casually watched.

1) install base debian install (do not select ANY options during tasksel at the end of install)

2) log in as root, install:

1. xserver-xorg-core

(xorg core)

2. fluxbox

(minimal window manager)

3. Iceweasel

(we need some firefox plugins)

4. unclutter

(hides mouse cursor when not being used - important for display kiosks)

5. sun-java6-plugin

6. flashplugin-nonfree

(flash and java needed for some websites - you may not need these)

7. openssh-server

(for remote management after display is locked down)

3) make a user named display, set a password

4) edit /etc/rc.local using your favorite editor (nano should be installed, as is vi):

add this line before the exit 0:

     su - display -c startfluxbox 2> /dev/null &

5) edit /etc/X11/Xwrapper.config:

1. change allowed_users=console to allowed_users=anybody

6) Go ahead and reboot, you should log in as display to a fluxbox desktop.

Switch back to VT1 and log in as root, then su - to display.

1. As display, edit ~/.fluxbox/autostart.sh

     unclutter &
     iceweasel &
     xset -display :0 dpms force on
     xset -display :0 dpms 0 0 0

The xset lines are useful for an unattended display kiosk that won't have keyboard or mouse activity, and turn off power management for the display. If you want the display to turn off after some period of inactivity, change the last line to appropriate values. (Read the xset man page.)

2. As display, edit ~/.fluxbox/init

Add this line to the end:

session.screen0.rootCommand: sh /home/display/.fluxbox/autostart.sh

3. As display, edit ~/.fluxbox/keys

find these lines and consider commenting them out:

     Mod1 F1 :Exec xterm
     Mod1 F2 :Exec fbrun
     Mod1 F4 :Close
     Mod1 F9 :Minimize
     Mod1 F11 :Fullscreen

These set up the alt+F1 key to bring up a terminal and the alt+F2 key to open the run command window. Either option would allow a user to type blindly behind the R-Kiosk Iceweasel window, but start a program (or kill Iceweasel) via command line. The alt+F4 key and alt+F9 keys would allow the user to close or minimize the Iceweasel window. The alt+F11 key would bring Iceweasel out of full screen mode, exposing the taskbar to the user. For a display only kiosk without a user accessible keyboard you shouldn't have to worry about these settings.

7) Reboot again, you should log in as display and have Iceweasel started.

1. With Iceweasel, install the TryAgain plugin and set the options you want (timeout, number of tries, etc.)

2. With Iceweasel, install the R-Kiosk plugin, but do not enable it yet.

3. Set Iceweasel's homepage to the page you want the kiosk to be at. Also run through Iceweasel and turn off features you don't want (tab bar, javascript, etc.) One thing to pay attention to is automatic updates of plugins. For a kiosk machine, especially one that is just displaying information, you do not want Iceweasel to take it upon itself to update the plugins. Turn this off.

8) Create an /etc/X11/xorg.conf file:

     Section "Serverflags"
        Option "DontVTSwitch"
     EndSection

This xorg.conf file disables the "ctrl+alt+Fn" key combinations used to switch to virtual terminals.

9) With Iceweasel, activate the R-Kiosk plugin. Then reboot. If you haven't restarted xorg after step 8, you can still switch to a virtual terminal to reboot. Otherwise, ssh in.

At this point you should have a fairly locked down browser session. Depending on what edits you made to .fluxbox/keys your users may have different options to deal with the browser. You should be able to access the box remotely via ssh as root for other management. Additional tweaking may be needed for your individual situation. For example, if you are using a large monitor over s-video, consider forcing the screen resolution in xorg.conf. You will probably want ntp installed, etc. Depends on your environment.

Edit:

With a kiosk machine, especially one connected to a large display (for advertising, etc.) there is a significant chance that the kiosk machine is rebooted when the display is powered off. Displays may be powered off at night to conserve power, and any maintenance on the kiosk machine is likely done at this time where a reboot cycle will not be visible to the public.

With the Squeeze kernel and KMS, if no display is detected you get no video. (I predict some frustrated traffic on web forums or e-mail lists when people start their desktop machines in the "wrong" order with Squeeze.) No video on a kiosk that has a main purpose of displaying video is an issue.

Luckily, the solution is quick and easy.

First, determine which video port you are using -- VGA, DVI, etc. and then tell the kernel to always turn that port on, even if the kernel does not detect a monitor attached to the port.

For example to turn on the VGA port edit /etc/default/grub and change

    GRUB_CMDLINE_LINUX_DEFAULT="quiet"

to

    GRUB_CMDLINE_LINUX_DEFAULT="quiet video=VGA-1:e"

The above example tells KMS to enable the VGA-1 port regardless of whether a display is detected on the port or not. The video= kernel argument has the syntax to set a specific display geometry and refresh rate, but the options are limited to what the BIOS will support. So I find it easier to just enable the port, and then create a stub xorg.conf file that uses a modes line in the display section to set the resolution you want. For example a kiosk I have is pushing video to a large screen TV at 1920x1080. That resolution doesn't work with the video= setting.

The video= commands aren't well documented, but there is some info here (which relates specifically to nouveau, but can be applied to other chipsets that KVM supports:)http://nouveau.freedesktop.org/wiki/KernelModeSetting

Edit: some clarifications in the instructions regarding editing files and settings.

Edit: When you update this system remotely, from time to time Iceweasel will pop up dialog boxes asking if you want the latest version of Try Again or R-Kiosk. For a kiosk with a mouse and keyboard, this isn't too much of a problem as you can just deal with the pop-ups locally. However for an advertising kiosk with no local keyboard or mouse this can be a problem. A tool that I use to get around this is the x11vnc package.

A) Install x11vnc

B) Create a wrapper script to start x11vnc for you. I called mine vnc_view.sh and put it in /usr/local/bin:

    #!/bin/bash
    sleep 60
    x11vnc -display :0 -env  FD_XDM=1 -auth guess -forever -passwd password &

The sleep command doesn't start x11vnc for a minute after boot, which gives xorg and fluxbox time to set up. If you leave this out, x11vnc will try to start before the xorg environment is ready. After the pause x11vnc is started in the background.

C) Call the wrapper script from rc.local, after you start fluxbox:

    /usr/local/bin/vnc_view.sh

You can now interact with the desktop using a vnc client to clear dialog boxes that appear after an iceweasel upgrade.

Good luck.