I am a strong believer that security should be concentrated on the server side, the web server could make some checks to verify that the client is running the correct version of the browser, for instance using a https connection and a client side certificate.

Another thing, why use a window manager at all, if you are controlling the server you should be able to limit everything to a single browser window, just start a “maximized” browser with no window manager.

Not insurmountable but probably the biggest cost issue to look at since most of the things you are asking for are in xguest as bochecha says.

xguest already does that ;)

That one is easy :P

- Disallow the user to do any network traffic except to that one server (on ports 80/443 only) – the system itself should of course be able to do DHCP, DNS, et al.

SELinux confines the xguest user so that Firefox is the only application running in his session that can access the network.

Set up a filtrating proxy that only allows the ports 80 and 443 to this one web server only (Squid is pretty easy to setup to do that).

- Disallow any networking over anything but Ethernet

IPTables will be your friend here.

- Disallow access to any local storage (HDDs, SSDs, USB-keys/-disks)

Not sure how to do that. Maybe with some Udev rules you can prevent the devices to be created, and thus they won’t be mounted.

- Disallow the user to run anything but Firefox (even when Firefox prompts to open anything) – or a more secure gecko based browser(?)

The easiest would probably be to extend the xguest user to do that.

- Use matchbox-window-manager
- Have as little software as necessary

Just choose the installed RPMs in your kickstart.

- (Be easily update-/upgradeable)

This one is easy, provided you make all your modifications available as RPMs.

« Oh, and what’s the best way to bring all this onto a live media? »

Like I said, everything in RPM, then a kickstart file, then pungi/livecd-creator to create the image.