Disabling IE add-ons and toolbars with Group Policy?

internet-explorer group-policy

Disabling the option "Enable third-party browser extensions" under Tools -> Internet Options -> Advanced (or Control Panel -> Internet Options) successfully disables most browser bars while still allowing the typical plugins (Java, Flash, etc).

If I recall correctly you can control this option in GP. Setting can be found under 'User Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Allow third-party browser extensions'


For XP with IE6, your KB source is a workable solution.

I added the CLSID for flash (found from youtube.com HTML source) and blocked it by adding it to Local Security Policy "User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-On Management > Add-on List"

Put in the CLSID and a 0 for value (disable) and on next IE refresh, Flash wouldn't load.

Sounds like adding a list of the most common offenders to a GPO would take care of most of your issues.


I have the same questions you do in regards to ClassID's possibly changing when javascript & flash are upgraded.

Anyhow in the process of trying to find more info on this I figured out in IE9 you can select an add-on & hit 'More Information' in the bottom-left'ish & it gives you the Class ID. I confirmed IE6 doesn't have this. I don't have any IE7 or 8's available to test currently. However the microsoft article DOES show you how to find the Class ID's that were blocked in the section 'Troubleshooting the Manage Add-ons feature'. Sadly it doesn't look like a quick job, will take some research


First of all, there is a solvable javascript problem with disabled add-ons: http://support.microsoft.com/kb/915729

There is the ToolbarCop which makes the disabling task easier - it's not a checkbox solution, but it's close.

If you want to do it by hand, you can learn the CLSIDs here.


You mention XP. Is this just a solution for XP?

For Windows 7 Applocker GPO can help. It's a application whitelist and blacklisting feature in Group Policy (but only works for Windows 7 clients).

There's some good intro videos from TechEd (search that site for more Applocker vids).

The quick and dirty (but not comprehensive) way is to allow everything and add deny rules for what you want to block. The more comprehensive way is to make a white list of all apps on all your computers (not just IE). If you do quick and dirty, create a new GPO and enable tracking of exe and dll and find the most common browser add-on's on your machine's that you don't want and add them with a deny rule.

You can try all sorts of ways to block them... like blocking the install via publisher cert (i.e. block all apps from yahoo), blocking file paths of where it puts the installs, etc.

While testing I recommend using the Local Security Policy. Ensure Application Identity service is running (then wait 5min).

Just to see how it would react, I added a deny rule to block all DLL's in %SYSTEM32%\Macromed\Flash*.* and IE acted gracefully as if Flash was never installed.

Related

Has my Linux server been compromised? How do I tell? [duplicate]
With MySQL, how long does an "ALTER TABLE ... DISABLE KEYS;" statement last?
Is there a secure way to allow IIS 7 in a DMZ to access a DB server behind the firewall?
Server credential management for Linux and Windows
Use git commands with another path rather than the actual working dir
What is, and what problems result in a 'carrier error'
last loggedin users in linux showing 8 characters only
Registrar Name Server Change
Can Apache conditionally perform a rewrite from a custom http header?
Any experience with SATA SAS Interposer Cards?
RPM Spec How to specify in package so that previous RPM is removed
What are PCRE limits?