For administrators who manage Chrome browser or ChromeOS devices for a business or school.
As a Chrome administrator, you can use the DownloadRestrictions policy to prevent users from downloading dangerous files, such as malware or infected files. You can prevent users from downloading all files or those that Google Safe Browsing identifies as dangerous. If users try downloading dangerous files, they get a security warning that they can’t bypass.
To understand what file types are impacted by this policy and what files are potentially blocked, see the Chromium code here.
Step 1: Review the policy
Policy: DownloadRestrictions
There are many types of download warnings within Chrome that can generally be categorized as follows:
- Malicious, as flagged by the Safe Browsing server.
- Uncommon or unwanted, as flagged by the Safe Browsing server.
- A dangerous file type. For example, all DLL downloads and many EXE downloads.
For more details on these categories, see Google Chrome blocks downloads.
Setting the DownloadRestrictions policy blocks different subsets of these, depending on it's value:
- 0—Default. No special restrictions.
- 1—Blocks the following files:
- files flagged by Safe Browsing as DANGEROUS_ACCOUNT_COMPROMISE or DANGEROUS
- download URLs flagged by Safe Browsing
- files that have a danger_level of DANGEROUS and ALLOW_ON_USER_GESTURE.
Note: We only recommend setting this policy for organization units, browsers, or users that do not regularly incorrectly identify an entity, such as a file or a process, as malicious.
- 2—Blocks the following files:
- files flagged by Safe Browsing as DANGEROUS, UNCOMMON, POTENTIALLY_UNWANTED, DANGEROUS_HOST, DANGEROUS_ACCOUNT_COMPROMISE
- download URLs flagged by Safe Browsing
- files that have a danger_level of DANGEROUS and ALLOW_ON_USER_GESTURE
Note: We only recommend setting this policy for organization units, browsers, or users that do not regularly incorrectly identify an entity, such as a file or a process, as malicious
- 3—Blocks all downloads. Not recommended, except for special use cases.
- 4—Recommended. Blocks files flagged as DANGEROUS, DANGEROUS_HOST, ACCOUNT_COMPROMISE, or if the URL is flagged by Safe Browsing
Unset: Defaults to No restrictions, as described above.
Step 2: Set the policy
Click below for steps, based on how you want to manage these policies.