Internet Explorer: How to block executable files (exe/com/pif/scr/bat/ps1) from being 'Run' on download
Sebastian Wright 
Hi I would like users to download any file (as they currently can) - but for executable files (exe/com/pif/scr/bat/ps1), I would like the 'Run' option to be hidden or disabled.
If that is not possible, what's the closest solution to prevent users running a .bat file they downloaded from a webpage on Internet Explorer
The machine isn't on a domain, but we can use gpedit.msc. I tried the Software Restriction Policies, but that only blocks .exe
Many thanks
23 Answers
The closest you might be able to get is to block the download of “high risk” file types in Internet Explorer and provide some other method for users to download them.
The block can be accomplished by enabling Group Policy User Configuration → Administrative Templates → Windows Components → Internet Explorer → Internet Control Panel → Security Page → Internet Zone → Show security warning for unsafe files. (The policy must be Enabled, and the option set to Disable.)
See Information about the Attachment Manager in Microsoft Windows for the list of the file types that IE considers “unsafe”. (It includes all the ones you mentioned except .ps1.)
Note that Chromium and Google Chrome also use the Windows Attachment Manager for downloads, so the IE setting will block downloads in those browsers too. I don’t know about Firefox.
2If you are running the Enterprise version of Windows 7, 8/8.1, or 10, you can use AppLocker to configure this policy through the local Group Policy editor (gpedit).
AppLocker is far superior to Software Restriction Policies. Not only can you configure executable rules like with SRP, you can also set policies for MSI installers, scripts (.bat, .vbs, .ps1, etc.) and Windows Universal (.appx) packages. You can also configure allow/deny rules based on paths, file hashes, and publisher/version info in the certificate (if the application/script is signed with one).
The location to configure the policy is in Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies.
The downside to AppLocker is that it only works on the Enterprise editions of Windows, not the Pro versions. Also, you cannot use AppLocker and Software Restriction policies together.
Here is Microsoft's documentation of the feature. If you have an Enterprise version, it's definitely worth a look. Note, that link references Windows 8/8.1, but it works equally as well in Win7 and Win10.
Internet Explorer: How to block executable files (exe/com/pif/scr/bat/ps1) from being 'Run' on download
One way you could do this would be to restrict or put an explicit Deny on the NTFS ACL permission of Traverse folder / execute file for this user account (or security group they are a member of) on the folder which IE 11 downloads the files that can be executed (e.g. the /Downloads folder).
This way they can download and save to this folder just fine with IE but when they go to execute, they'll get a permission denied, etc. type of a message and be prevented from executing anything from this location.
Add New Explicit Deny Security
Right-click on the folder, select Properties, go to the Security tab, select Advanced, select Add, select Show Advanced Permissions, select Select a principal, type in the username or security group to restrict this access. Once the principal is selected in the Type field drop the value to Deny, and the Applies to field drop that to a value of This folder and file, and then go down to the Advanced Permissions section and check the Traverse folder / execute file and press OK.
