Blocking Users From Running .exe files using GPO RRS feed

  • Question

  • Greetings,

    we have in place policies which block users from running .exe from %UserProfile%\Appdata\Local\Temp but I also need to block these file being run directly from internet explorer so I have added a new rule in the GPO with the following:

    %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.exe

    This doesn't work could It be because the path has spaces in it? if I try to block upto: %USERPROFILE%\AppData\Local\Microsoft\Windows\*.exe this is working fine

    Any ideas?



    Wednesday, December 6, 2017 2:04 PM

All replies

  • Hi All,

    Can anyone help here, im really struggling to be able to stop .exe running directly from the internet and its just from this folder only it doesn't work, everything above this folder level the policy I have works fine and blocks the .exe from running



    Monday, December 18, 2017 2:48 PM
  • Hi,

    Why are exe files appearing in the TIF? only web resources should be there? There should be no reason why .exe files are appearing in the TIF. Which website is caching exe files to the Tif?

    can you give an example of a link on a web page?

    To deploy exe files on a domain network, either package them in an MSI or Gzip file.


    Questions regarding Internet Explorer 8, 9 and 10 and Internet Explorer 11 for the IT Pro Audience. Topics covered are: Installation, Deployment, Configuration, Security, Group Policy, Management questions.


    Wednesday, December 20, 2017 11:33 PM
  • Hi There

    When we run .exe files from internet explorer they run from the TIF location and for some reason my software restriction's will not work on that location, not sure if this is because its a hidden system file location.

    Basically my goal is that I want to stop users from running .exe files directly from the internet to help with preventing things running that shouldn't



    Thursday, December 21, 2017 9:00 AM
  • Hi,

    In your GPO security templates

    Internet Explorer>Internet Control Panel>Security Page>Internet zone

    "Show security warning for potentially unsafe files"

    This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).

    If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.

    If you disable this policy setting, these files do not open.

    If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.


    you can apply the above setting to the Internet and Trusted sites zones. I think it is already disabled by default for the Restricted sites zone, and enabled for the internet zone

    You may want to also disable user access to the security tab of Internet Options so that they cannot alter your security policies and zone mapping lists. Commonly users will add internet sites to their IE Trusted sites zone, thinking that the security is higher (==Trusted).... in the vain hope of trying to get their facebook or pongo login to work on their work computer.

    The default level for the Internet zone is Medium High and only Medium for the Trusted zone. Generally you would only add domains to the IE Trusted sites lists where they are your business partners portals that you need to access from your intranet hosts.

    The above GPO setting is equivalent to Internet Options>Security tab>internet zone : "Launching programs and unsafe files"



    Thursday, December 21, 2017 11:20 AM