internet-explorer-11gpo

How can I fully block non-admin users from launching Internet Explorer without breaking IE-Mode in Edge?


I've been asked to completely block Internet Explorer from running for a normal user. We've tried the GPO setting to disable IE as a standalone browser, but using VBS or clicking certain "Learn More" links in Control Panel still opens IE. We can't afford to block all VBScripts, and from what I understand blocking or removing iexplore.exe will break IE-mode. Is there a way that can 100% stop IE from opening without collateral damage?

We've already got most requests for IE redirected to Edge, and we've tried using this article to block opening IE, but again, this still doesn't stop all methods of calling IE.

Here's the VBS I used to confirm we could still open IE:

Set objIE = CreateObject("InternetExplorer.Application")
objIE.Navigate "google.com"
objIE.Visible = 1

Another engineer also found that you can open IE with the following steps: Control panel -> internet options -> programs -> manage addons -> lower left click the link learn more about toolbars


Solution

  • According to the IE11 Retirement FAQ

    The following also remain in-support:

    Internet Explorer mode in Microsoft Edge
    Internet Explorer platform (MSHTML/Trident), including WebOC and COM automation

    I believe the mentioned workarounds fall into this catagory. Kind of like WebBrowser Control.

    For the VBS entry, you may modify the value of the (Default) key at HKEY_CLASSES_ROOT\CLSID{0002DF01-0000-0000-C000-000000000046}\LocalServer32, which represents the reference of InternetExplorer.Application. I suggest you make backup first, of course.

    For the learn more about toolbars entry, you might as well disable the Programs panel. For GPO, go to Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel. Then, enable the Disbale the Programs page policy. Users will no longer have access to Programs panel.