Best way to block downloads of executables and archives, while allowing normal files (PDF, images, videos)?
Posted by Same-Target-3116@reddit | sysadmin | View on Reddit | 21 comments
I’m trying to restrict a Windows environment so users can still download normal files like PDFs, images, and videos, but prevent downloading potentially risky files such as executables or compressed archives.
The goal is to allow:
- PDF, images, videos, documents
- general browsing and normal usage
While blocking:
- .exe, .msi, .bat
- .zip, .rar, .7z
I understand that blocking execution with AppLocker is one layer, but I’m specifically looking for ways to control the download side as well.
So far I’ve looked into:
- Browser policies (Chrome / Edge)
- Extensions
But I’m not sure what the most effective or maintainable approach is.
Ideally I want something that:
- Doesn’t break normal browsing
- Works across different browsers (if possible)
- Is not easily bypassed
Any recommendations or real-world approaches would be appreciated.
jon13000@reddit
Any modern web filter should be able to accomplish this. Cisco umbrella, zscaler.
ALombardi@reddit
lRestart service. Retry download during restart.
jon13000@reddit
Well yeah. I’m assuming users do not have rights to to jack all on the pc as standard practice.
ALombardi@reddit
I mean within the Zscaler app UI itself, not the service on the machine. There is a 'restart service' button you can click and it will kill the Zscaler service on the laptop and restart it. While it is down, users can simply retry the download/link/whatever was being blocked prior. I've seen more orgs than not have this setting allowed for users in case "troubleshooting" is needed.
jon13000@reddit
Yikes. I didn’t know this. I demoed zscaler a while back and went with umbrella. This is not possible in umbrella.
Kumorigoe@reddit
Guy, you keep posting this same shit and you never ever give any details of why you need to do this. What's the use case? Why this incredibly convoluted way of doing things? Why do you keep repeating the same post over and over and over again?
You're pretty close to earning a vacation from the sub. Provide details, answer the questions, and stop wasting our time.
Same-Target-3116@reddit (OP)
That's it, I followed some suggestions from here that helped me.
anpr_hunter@reddit
* Remove local admin + restrict users' ability to write outside their user profile
* Software Restriction Policies for executables within the user profile. There are cryptolocker mitigation templates you can employ for this which covers other dicey executables like screensaver files.
Wodaz@reddit
Have you had any weird issues show up with SRP and Windows 11? I have had several instance, specifically on Windows 11, where things that should be blocked by SRP make it through, but not always. I have not been able to track it down. If I move those into Applocker, its fixed. But, since it was intermittent I don't know that it didn't fix itself. SRP is pretty deprecated as well. I think they listed it as deprecated in 2018.
anpr_hunter@reddit
I've never had issues with SRP, even on W11, but I'll hasten to add that it takes a lot of trial/error with procmon to get wildcard usage for executables within subdirectories just right.
And yeah, I know they've announced that it's deprecated but they also want administrators to move all their GPOs to Intune policies despite lacking feature parity, so we take heed of the slop accordingly.
tensorfish@reddit
If you really mean block the download itself, this stops being a browser-policy problem and becomes a web-filter / proxy problem with TLS inspection. Then still keep AppLocker or WDAC on the endpoint, because users will just get the same payload via sync clients, USB, renamed files or somewhere else your filter never sees. Browser extensions are the flimsiest part of that stack.
Same-Target-3116@reddit (OP)
USB drives won't be a problem; they're not allowed.
justinDavidow@reddit
All this is going to accomplish, is people coming up with ways around it.
If a third party download site names a file
zipfile.pdfwhat do you expect your solution to do?Extensions are useless bits of text that help indicate to an operating system "should I allow this to be executed". If you want to get into content inspection, you're going to need to actually get into content inspection. Open the files up at the network layer using a content proxy server and fingerprint against the MIME content header shapes you know about (but also need to check within each file payload for further headers!)
https://www.squid-cache.org/Misc/proxies.dyn is one such list of software that can do that, you'd need to configure the environment based on your specific needs and then set and force the proxy for all user accounts (Group Policy). It's going to be a ton of work to setup and maintain, will be obtrusive and keep in mind that you're functionally man-in-the-middling the staff.
sryan2k1@reddit
Any SASE solution.
nakkipappa@reddit
We did this using browser settings for Edge, but it doesn’t specifically say exes and msi . If you use block dangerous downloads, it will apply to other files aswell. So far very little problems, has been mostly with XML files.
binaryhextechdude@reddit
Nothing wrong with your idea but I just wanted to mention another approach. Let them download whatever they want but use allow listing software to block and not explicitly allowed software to run.
txmail@reddit
You need a DPI capable firewall / router. Deep Packet Inspection [DPI] inspects the packets going across the wire and can identify the file type and selectively remove it or replace it. It is a bit of a chore to setup since you have to install certificates on all the machines that connect to the router so SSL is also inspected (without it then only non-ssl traffic can be inspected which is not much). It sort of acts like a man in the middle of every connection. Depending on the size of your office and speed requirements -- this can get pricey quick.
Your other option is using a web proxy that basically can do the same thing -- but typically only covers web traffic (vs DPI which can intercept more than just web traffic, like instant messaging and other protocols). You still need to deploy a SSL cert with the proxy too on every machine / device that needs access.
SquashNo7817@reddit
https://reddit.com/r/sysadmin/comments/1slaath/is_it_possible_to_detect_and_temporarily_restrict/
Ok
Yesterday it was 30 second delay...
Are you trying different ways of annoying users?
TheRedstoneScout@reddit
I believe any firewalls capable of SSL Decryption and content inspection could probably do this.
I have similar restrictions to yours for our general users and then relax it a bit for IT staff
THEYoungDuh@reddit
Why?
Needing to compress files is an incredibly common user need for sharing.
Winter-Swimmer-3000@reddit
Do you have a firewall? Can it do content inspection? Is it connected to your AD/Entra? If so I'd have a look there.