One of our latest support incidents was a request to block domain users from being able to install and run Google Chrome.
Domain users were able to install Google Chrome onto domain joined computers even though they were not administrators on the machines. This resulted in users downloading and installing Chrome as their standard browser which is against the company’s standard IT security policy. Users were able to install Google Chrome onto these machines because the Google Chrome installation installs the software to the user profiles directory where they have full administrative rights rather than the standard Program Files directory. The user profile installation directories are the following:
- Windows XP and Windows Server 2003 – C:\Documents and Settings\%username%\Local Settings\Application Data\Google\Chrome\Application\
- Windows 7 and Windows Server 2008 -C:\Users\%username%\AppData\Local\Google\Chrome\Application\
To solve this problem easily, you can use Group Policy Software Restriction Policies to block Google Chrome from running and installing.
The GPO needs to have the following configured:
- Navigate to User Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies folder
- Right-click Software Restriction Policies and select New Software Restriction Policies
- Right click Additional Rules and choose New Path Rule
- In the Path field type chromesetup.exe
- Select Disallowed in the Security level drop down and click ok to save the rule
- Repeat step 3 – 5 for the following files as the path rule:
- Chrome.exe (blocks Chrome from running if installed)
- C:\Documents and Settings\%username%\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Windows XP & Windows Server 2003)
- C:\Users\%username%\AppData\Local\Google\Chrome\Application\chrome.exe (Windows 7 & Windows Server 2008)
- If you are going to link the GPO to an OU with only computer accounts you need to enable User Loop back processing so the policy gets applied to users when they log into the computer. User Loop back processing is located under Computer Configuration\Policies\Administrative Templates\System\Group Policy