How to Disable IE Add-ons and Toolbars via Group Policy: A Complete Guide for System Administrators


2 views

Managing Internet Explorer add-ons in enterprise environments remains one of the most persistent headaches for sysadmins. The fundamental problem lies in IE's permissive architecture that allows virtually any application to inject toolbars and BHOs (Browser Helper Objects) without proper administrative oversight.

While the Microsoft KB article provides basic guidance, it falls short in practical implementation details. Here's how to properly implement add-on restrictions:


// Sample administrative template for IE add-on management
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions]
"NoToolbarExtensions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions]
"NoToolbar"=dword:00000001

To create an effective whitelist (allowing only approved add-ons like Flash or Windows Update), you'll need to identify their CLSIDs:

  1. Open IE and go to Tools > Manage Add-ons
  2. For each approved add-on, note the Class ID shown in the details pane
  3. Cross-reference with these common CLSIDs:

// Common CLSIDs for reference
Adobe Flash: {D27CDB6E-AE6D-11CF-96B8-444553540000}
Windows Update (XP): {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F}

Create a new Group Policy Object with these settings:


Computer Configuration > Administrative Templates > Windows Components > Internet Explorer
1. Enable "Deny all add-ons unless specifically allowed in the Add-on List"
2. In "Add-on List", add each approved CLSID with value 1

Important notes about CLSID stability:

  • Adobe Flash typically maintains the same base CLSID across versions
  • Windows Update components differ between XP/Vista/7/10
  • Third-party toolbars often change CLSIDs with updates

For more dynamic control, consider this PowerShell script to audit and manage add-ons:


# Get all installed BHOs
$bhoclass = [Type]::GetTypeFromCLSID("{B4F3A835-0E21-4959-BA22-42B3008E02FF}")
$mgr = [Activator]::CreateInstance($bhoclass)

$addons = $mgr.GetBHOs() | Select-Object Name,Clsid,Enabled
$addons | Export-Csv "C:\addons_audit.csv" -NoTypeInformation

# Disable unwanted add-ons
$mgr.DisableBHO("{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}") # Example bad BHO

Regularly update your whitelist:

  • Quarterly audits of approved CLSIDs
  • Test policy changes in a staging environment
  • Combine with Software Restriction Policies for defense in depth

Internet Explorer's add-on architecture has been both a blessing and curse for enterprise environments. While legitimate plugins like Flash and Windows Update serve critical functions, the platform's openness invites toolbars and BHOs that degrade performance and security.

Microsoft provides two primary Group Policy settings for controlling IE add-ons:

Computer Configuration
   Administrative Templates
      Windows Components
         Internet Explorer
  • Deny all add-ons unless specifically allowed: Use policy "Do not allow users to enable or disable add-ons"
  • Approved add-ons list: Configure through "Approved add-ons list" in Group Policy

To build your approved list, you'll need the CLSID (Class ID) of each add-on:

  1. Launch IE and go to Tools → Manage Add-ons
  2. For each approved add-on, note the Class ID shown in details

Example for Flash Player:

Adobe Flash Player: {D27CDB6E-AE6D-11CF-96B8-444553540000}

The approved add-ons list uses this XML structure:

<approved-addons>
   <addon id="{D27CDB6E-AE6D-11CF-96B8-444553540000}" name="Adobe Flash Player"/>
   <addon id="{2318C2B1-4965-11D4-9B18-009027A5CD4F}" name="Google Toolbar"/>
   <addon id="{5CA3D70E-1895-11CF-8E15-001234567890}" name="Windows Update"/>
</approved-addons>

Important notes about CLSIDs:

  • Flash maintains the same CLSID across versions
  • Windows Update's CLSID remains consistent on XP
  • Third-party toolbars often change CLSIDs with updates

For enterprise rollout:

  1. Test policies on a small group first
  2. Document all approved CLSIDs
  3. Combine with Software Restriction Policies

For complete control, block add-on DLLs via:

Computer Configuration
   Windows Settings
      Security Settings
         Software Restriction Policies
            Additional Rules