Hi I would like users to download any file (as they currently can) – but for executable files (exe/com/pif/scr/bat/ps1), I would like the 'Run' option to be hidden or disabled.
If that is not possible, what's the closest solution to prevent users running a .bat file they downloaded from a webpage on Internet Explorer
The machine isn't on a domain, but we can use gpedit.msc. I tried the Software Restriction Policies, but that only blocks .exe
Many thanks
Best Answer
The closest you might be able to get is to block the download of “high risk” file types in Internet Explorer and provide some other method for users to download them.
The block can be accomplished by enabling Group Policy User Configuration → Administrative Templates → Windows Components → Internet Explorer → Internet Control Panel → Security Page → Internet Zone → Show security warning for unsafe files. (The policy must be Enabled, and the option set to Disable.)
See Information about the Attachment Manager in Microsoft Windows for the list of the file types that IE considers “unsafe”. (It includes all the ones you mentioned except .ps1.)
Note that Chromium and Google Chrome also use the Windows Attachment Manager for downloads, so the IE setting will block downloads in those browsers too. I don’t know about Firefox.