Group Policy Setting of the Week 18 – Allow file download (Internet Explorer)

This weeks setting is one that you would use if you are in an environment that you want a very high level of security (e.g. Kiosk computers). The “Allow file download” option is used to prevent the downloading of files via Internet Explorer. This setting does not prevent the browser form downloading files such as images to display in the browser page but it does prevent users from downloading of files when a user click on a file download link. This could also be useful if you want to help limit the security attack vector of users being tricked into download and running malicious files on their computers from the internet which could help mitigate some Zero day attacks.

Note: This does not prevent users from running Firefox or Chrome to get around this restriction (although they would have difficulty in downloading it) therefore you may also want to consider deploying AppLocker or Software Restriction Policies to prevent the running of those apps.

To enable this restriction you need to first “Enable” the policy and then set the Allow file downloads option to “Disable” . This setting can be found under Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone. This setting can also be configured on the other zone’s under the Security Page section however the Internet Zone is what most web sites are classified as and therefore will have the largest affect.

image

When this policy is applied to a user and the user clicks on a hyperlink to a file to download they will then receive this dialogue box.

image

If you did enabled this setting and you wanted to let users download file from particular web sites you could add the site URL to the trusted sites zone list. I have previously blogged how to do here https://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/

P.S. Sorry i am a day late with this one… have been a bit busy lately. But don’t worry i will make sure that i always have time to do a setting of the week post each week.

Author: Alan Burchill

Microsoft MVP (Group Policy)

14 thoughts on “Group Policy Setting of the Week 18 – Allow file download (Internet Explorer)

  1. this is fine, buti need exclude some of the files, like pdf. word, excell alone. is it possible ???

    1. Satheesh,

      Yes it is possible to exclude any particular application from the restriction. You just follow User-configuration/policies/ windows setting / security setting / Software restriction / additional rules.
      and create the new path rule and give the application installed location path and select unrestricted in the security level.

  2. this is fine, buti need exclude some of the files, like pdf. word, excell alone. is it possible ???

  3. I have the same need a Satheesh. It would be great to be able to exclude certain file types from this policy since even PO’s and Invoices are being downloaded from sites.

  4. Satheesh,

    Yes it is possible to exclude any particular application from the restriction. You just follow User-configuration/policies/ windows setting / security setting / Software restriction / additional rules.
    and create the new path rule and give the application installed location path and select unrestricted in the security level.

  5. Satheesh,

    Yes it is possible to exclude any particular application from the restriction. You just follow User-configuration/policies/ windows setting / security setting / Software restriction / additional rules.
    and create the new path rule and give the application installed location path and select unrestricted in the security level.

  6. Hi, i have a similar issue:
    one of the SAP sites is configured as a trusted site. when someone exports a report to excel, they get the “save” or “open” dialogue.
    if they choose “Open”, the file opens correctly.
    if they choose “Save”, they get the following message:
    “The operation has been cancelled due to restrictions in effect on this computer…”
    i went over the entire GPO, but couldn’t find anything that may indicate why this is.
    (BTW – it happens with all file types, for example .TIF)
    any ideas?

  7. To enable this restriction you need to first “Enable” the policy…..

    What policy name???

  8. This setting can be found under Configuration…

    Computer or user config? This article is a joke.

Leave a Reply to ShlomiCancel reply