How can i disable download from all browsers using group policy for domain users in windows server 2008 R2 Standard Edition?
We have using Windows server 2008 R2 edition.
I need the group policy for disable download option for domain users.
Anyone please let me know the policy settings.
Thanks in advance.
Solution 1:
What you're looking for sounds like a simple thing but it really isn't.
When you say "all browsers" I tend to think that you're talking about third-party web browser software (Google Chrome, Firefox, Opera, wget, curl, etc). You're going to find that third-party web browser software is less amenable to being controlled by Group Policy than Internet Explorer.
By "downloading" I think you're saying "saving the contents of HTTP(S) accessible resources to disk files while still allowing the user to view web pages". Considering that's exactly what a browser does when accessing web sites to allow users to view pages I think you're going to have a tough time of this. If the machine is able to arbitrarily communicate with other hosts via HTTP(S) and the user can execute arbitrary code then users can "download".
Your options are to remove the user's ability to execute arbitrary code and/or remove the ability for the computer to arbitrarily communicate with other hosts. Software Restriction Policy is your best bet for the first, and a web filter device / application is your best bet for the second.
You can play games with the IE "Security Zones" and other settings via Group Policy but a determined attacker is going to be able to get around such games even if they can't execute arbitrary code. If the attacker can just run a copy of wget they bring in on their own storage media then all the Group Policy machinations in the world aren't going to help you, either.
Solution 2:
The only way to truly achieve what you want is to restrict internet access at the network level. This can be achieved by something like an in-line proxy, or by adding ACL's to your outbound ports which prevent requests originating from IP's which aren't either servers or the proxy.
You really shouldn't rely on client side restrictions for this.