none
Block "Open In..." action for Office documents from Sharepoint using GPManagement on Windows Server?

    Question

  • Is it possible to stop users from opening Office documents (Excel, Word etc) which are hosted on SharePoint by using the "Open In XXXXX" button? Where XXXXX is the Office application relevant to the office document being opened.

    Essentially we need to block all file downloads from cloud services on our domain but the "Open in...." button SharePoint is a way for users to get around the existing group policies regarding downloading files from the internet.

    Kind Regards,

    KF

    Wednesday, February 24, 2016 11:58 AM

Answers

  • Good news, from Server 2012 R2 I managed to figure out the way to allow users to view the documents on the SharePoint website whilst also blocking the files from downloading and preventing the local Client app opening via the "Open in..." button on the SharePoint website.

    The solution is simple and embarrassingly obvious from within Group Policy Management in Server 2012:

    User configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page

    Open the Site to Zone Assignment List setting

    Enable it if not already

    Select the "Show..." button

    Add https://*.sharepoint.com as the 'Value Name'

    Add 4 as the 'Value'

    Having tested this, all users can still view the document in Internet Explorer but no user is able to download the office documents to their computer or network share, nor are they able bypass the GPO rule and open it directly into a locally installed instance of Microsoft Office.

    This of course will not apply to all 3rd party web browsers, but for us we have locked down enough to only allow IE11.

    • Marked as answer by ProjectVRD Thursday, February 25, 2016 11:39 AM
    Thursday, February 25, 2016 11:39 AM

All replies

  • Hi,

    Thanks for your post.

    As far as I know, there is no such a group policy to block "Open In..." action for Office documents from SharePoint. But we can the default open behavior for SharePoint documents. Please refer to the following article:

    Set the default open behavior for browser-enabled documents (Office Web Apps when used with SharePoint 2013)

    https://technet.microsoft.com/en-us/library/ee837425.aspx?f=255&MSPPError=-2147217396

    Also if you need any help regarding SharePoint, we can seek help in our SharePoint forum:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=sharepointadmin&filter=alltypes&sort=lastpostdesc

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 25, 2016 4:04 AM
    Moderator
  • Good news, from Server 2012 R2 I managed to figure out the way to allow users to view the documents on the SharePoint website whilst also blocking the files from downloading and preventing the local Client app opening via the "Open in..." button on the SharePoint website.

    The solution is simple and embarrassingly obvious from within Group Policy Management in Server 2012:

    User configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page

    Open the Site to Zone Assignment List setting

    Enable it if not already

    Select the "Show..." button

    Add https://*.sharepoint.com as the 'Value Name'

    Add 4 as the 'Value'

    Having tested this, all users can still view the document in Internet Explorer but no user is able to download the office documents to their computer or network share, nor are they able bypass the GPO rule and open it directly into a locally installed instance of Microsoft Office.

    This of course will not apply to all 3rd party web browsers, but for us we have locked down enough to only allow IE11.

    • Marked as answer by ProjectVRD Thursday, February 25, 2016 11:39 AM
    Thursday, February 25, 2016 11:39 AM
  • Hi,

    Good to hear that you have solved this issue by yourself. In addition, thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 26, 2016 1:45 AM
    Moderator