I'd love to have the peace of mind of knowing that none of my desktops have toolbars, "browser helpers" or any other crap like that running.
Has anybody done this successfully with Group Policy?
I found this article, but it's not all that clear:
http://support.microsoft.com/kb/883256
If I want to ban all plugins but the Google Toolbar, Flash & Windows Update on XP, there isn't a clear explanation on how to do it. It seems that I would have to know the ClassID of every toolbar I would like to allow.
The article doesn't really go into how an admin would find these ClassIDs. Does Flash have a different ClassID for each version? Does it vary by OS? What about Windows Update on XP boxes - it requires a plugin that would need to be expressly enabled.
It's such a common problem that there should be an easy solution. It would be great if there was just a checkbox list of common plugins, so you could enable Flash for everyone, Google Toolbar for devs, Windows Update for XP, etc.
Disabling the option "Enable third-party browser extensions" under Tools -> Internet Options -> Advanced (or Control Panel -> Internet Options) successfully disables most browser bars while still allowing the typical plugins (Java, Flash, etc).
If I recall correctly you can control this option in GP. Setting can be found under 'User Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Allow third-party browser extensions'
For XP with IE6, your KB source is a workable solution.
I added the CLSID for flash (found from youtube.com HTML source) and blocked it by adding it to Local Security Policy "User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-On Management > Add-on List"
Put in the CLSID and a 0 for value (disable) and on next IE refresh, Flash wouldn't load.
Sounds like adding a list of the most common offenders to a GPO would take care of most of your issues.
I have the same questions you do in regards to ClassID's possibly changing when javascript & flash are upgraded.
Anyhow in the process of trying to find more info on this I figured out in IE9 you can select an add-on & hit 'More Information' in the bottom-left'ish & it gives you the Class ID. I confirmed IE6 doesn't have this. I don't have any IE7 or 8's available to test currently. However the microsoft article DOES show you how to find the Class ID's that were blocked in the section 'Troubleshooting the Manage Add-ons feature'. Sadly it doesn't look like a quick job, will take some research
First of all, there is a solvable javascript problem with disabled add-ons: http://support.microsoft.com/kb/915729
There is the ToolbarCop which makes the disabling task easier - it's not a checkbox solution, but it's close.
If you want to do it by hand, you can learn the CLSIDs here.
You mention XP. Is this just a solution for XP?
For Windows 7 Applocker GPO can help. It's a application whitelist and blacklisting feature in Group Policy (but only works for Windows 7 clients).
There's some good intro videos from TechEd (search that site for more Applocker vids).
The quick and dirty (but not comprehensive) way is to allow everything and add deny rules for what you want to block. The more comprehensive way is to make a white list of all apps on all your computers (not just IE). If you do quick and dirty, create a new GPO and enable tracking of exe and dll and find the most common browser add-on's on your machine's that you don't want and add them with a deny rule.
You can try all sorts of ways to block them... like blocking the install via publisher cert (i.e. block all apps from yahoo), blocking file paths of where it puts the installs, etc.
While testing I recommend using the Local Security Policy. Ensure Application Identity service is running (then wait 5min).
Just to see how it would react, I added a deny rule to block all DLL's in %SYSTEM32%\Macromed\Flash*.* and IE acted gracefully as if Flash was never installed.
There is a setting in Group Policity that allows you to deny all add-ons unless specifically allowed. Can be found here: 'User Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Add-on Management'
Enable the 'Deny all add-ons..' option and then just ad the ones you want to keep in the 'Add-on List' option
Problem seems to be as soon as you add a white-list, EVERYTHING is disabled except what is in there. Java. Flash. Etc. I was hoping to find a list of common extensions, but so far it is a LOT of work to use a white-list.
To get the class ID of an add-on, you'll want to go into Manage 'add-ons' from the tools menu item, then in the resulting window there should be a drop-down for you to choose "ALL ADD-ONS" right click on the add-on you want to enter into the GPO & select MORE INFORMATION in the resulting pop-up window click the copy button, which will copy Everything to the clipboard. Paste into your favorite text editor, now you can copy the CLASSID you need & paste it into the Value Name field of your GPO. The 'value' field should be a 0 denied, 1 allow user can't change, 2 allow user can change.
There is a good explanation with pictures and video here on how to set it up:
https://www.itscforum.dk/showthread.php?64-Windows-Get-rid-of-those-toolbars-and-add-ons-in-Internet-Explorer