An extreme way to prevent malware attacks
Although a somewhat drastic method of protecting your computer, Microsoft makes it possible to disable all downloads in Internet Explorer.
There are several situations when disabling downloads in IE provides a temporary or permanent fix to guard your PC against viruses, worms, Trojan horses, and other malware. Read on to learn why and how to stop users of your computer from downloading files.
Why Disable Downloads?
Some downloaded files carry with them more of a threat to your computer’s security than others. Executable files with an *.exe file extension are particularly dangerous because those files, as their name implies, have executable code. Unless you are absolutely sure that a downloaded executable file is from a trustworthy source, you should never click on this type of file.
Ask any experienced computer administrator and he/she will tell you that the threat from viruses and other malware goes up exponentially as more people have access to and use a PC. Even in a home environment, impatient kids or inexperienced users are more likely to click away on anything that looks enticing. Disabling the ability to download files is one thing you can do to protect your computer from these users’ actions.
Finally, if you have a guest account on your computer that anyone can use, you need a method of protecting your PC from malicious downloads. The safest alternative is to disallow any downloads at all. After all, if a person doesn’t have his/her own account on a computer and must use the guest account, you have a strong incentive to protect yourself against the actions of this casual user.
Obviously, the biggest loophole in this method is that someone could just download Chrome or Firefox and download all they want, right? Yes, so technically, you have to setup your computer in a way so that it can either only run IE or will block Firefox and other browsers from running. You can read my previous post on setting up kiosk mode for an account in Windows 10, which is the first method.
To prevent other applications from running, you would need to configure something like AppLocker. This won’t work if you have the Home version of Windows though. It’s a bit complicated to setup, so kiosk mode might be a better option if you’re just trying to prevent your kids from messing up your computer.
How to Block Downloads in IE
Luckily, disabling downloads in IE is just a few clicks away. Begin by opening up IE and clicking on Tools on the menu bar. Then click on Internet Options to open the Internet Options window.
On the Internet Options window, click on the Security tab and then click on the Custom Level button located in the Security Level for this Zone section.
You should now be looking at the Security Settings – Internet Zone window. In the Settings box, scroll down to the Downloads section and locate an option titled File Download. Change this option from Enabled to Disabled. Click the OK button.
IE now asks if you want to change the settings for this zone. Click OK.
In order for this change to take effect, you must restart IE. Close IE and reopen it.
If you want to test the setting, go to any reputable site and try to download a file. As an example, you could go to www.adobe.com and try to download Adobe Reader. Notice that when you click to download the file, IE gives you a security alert and informs you that your security settings do not allow this file to be downloaded.
For the ultimate protection from malicious downloads, consider disabling downloads in IE altogether. Although a drastic approach to computer security, this may be your most powerful weapon against malware when many people use your computer or if you have a guest account on your PC.
Disable Downloads in Group Policy
If you are running the Pro or higher version of Windows, you can also set this option in Group Policy. To do this, click on Start and then type in group policy.
This will open the local group policy editor. Now navigate to the following section:
Computer Configuration - Administrative Templates - Windows Components - Internet Explorer - Internet Control Panel - Security Page - Internet Zone
Once you are there, you should see an option on the right-hand side called Allow file downloads.
Double-click on that item and make sure to select the Disabled radio button.
Again, you’ll need to do some additional work to really prevent tech-savvy users from figuring out other ways to bypass this restriction. It’s always a good idea to disable access to the command prompt too as files can be downloaded that way easily. Enjoy!