Block Downloads in Chrome via Group (2026)

Last updated: April 17, 2026

Controlling file downloads in Chrome across an organization is a common requirement for IT administrators and security teams. Whether you need to prevent sensitive data leakage, restrict certain file types, or enforce a locked-down browsing environment, Chrome’s Group Policy settings provide solid mechanisms for blocking downloads at scale.

This guide walks you through configuring Chrome to block file downloads using Windows Group Policy, with practical examples tailored for developers and power users managing enterprise Chrome deployments. By the end, you’ll have a complete picture of every available mechanism. from blanket blocks to fine-grained, per-domain rules. along with tested PowerShell snippets you can deploy immediately.

Understanding Chrome’s Group Policy Framework

Chrome Enterprise policies are stored in the Windows Registry and managed through Group Policy Objects (GPOs). When you install Chrome for enterprise, administrative templates (ADMX files) are added to your policy editor, exposing dozens of configurable settings under Computer Configuration → Administrative Templates → Google Chrome.

The policy engine operates on a hierarchy: machine-level policies apply to all users on a device, while user-level policies affect individual accounts. For download restrictions, you’ll primarily work with machine-level policies to ensure consistent enforcement across your organization.

Before making any changes, download the latest Chrome ADMX templates from Google’s enterprise download page. The templates are versioned alongside Chrome, so an outdated template file can expose a different set of policy options than what your installed Chrome version actually supports. Extract the bundle, copy chrome.admx and google.admx to C:\Windows\PolicyDefinitions, and copy the matching .adml language files to C:\Windows\PolicyDefinitions\en-US. Once those are in place, Group Policy Editor will show the full Chrome policy tree.

Registry Layout and Precedence

Policies land in one of two registry hives:

Hive	Scope	Notes
`HKLM\SOFTWARE\Policies\Google\Chrome`	Machine (all users)	Highest precedence; cannot be overridden by user
`HKCU\SOFTWARE\Policies\Google\Chrome`	Current user only	Can be used for per-user pilots
`HKLM\SOFTWARE\Policies\Google\Chrome\Recommended`	Machine-recommended	User can override within bounds set here

For enforcement, always write to the machine hive. Recommended policies belong in the \Recommended subkey and show up in Chrome settings as defaults that users can change.

Blocking All Downloads System-Wide

The most straightforward approach blocks all file downloads entirely. This is useful for kiosk systems, secure terminals, or environments where internet access should be read-only.

Navigate to your Group Policy Editor and locate:

Computer Configuration → Administrative Templates → Google Chrome → Download restrictions

You’ll find a policy called “Download restrictions” with three possible values:

No restrictions (default): Downloads are allowed
Block dangerous downloads: Only blocks files flagged by Chrome’s safe browsing
Block all downloads: Completely prevents any file download

To enforce this via the Windows Registry directly, create the following key:

Registry path for machine-level policy
HKLM\SOFTWARE\Policies\Google\Chrome
Create a DWORD value named DownloadRestrictions
Value 0 = No restrictions
Value 1 = Block dangerous downloads
Value 2 = Block all downloads

Set the value to 2 to block all downloads:

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -Name "DownloadRestrictions" -Value 2 -PropertyType DWord -Force

After applying this policy, users attempting to download any file will see Chrome block the action and display a notification explaining the download was blocked by administrator policy.

Deploying to Many Machines at Once

For an environment with hundreds of machines, apply the registry entry through a GPO startup script or push it with your RMM tool. Here is a self-contained PowerShell script suitable for a software deployment package:

param(
 [ValidateSet(0, 1, 2)]
 [int]$RestrictionLevel = 2
)
$registryPath = "HKLM:\SOFTWARE\Policies\Google\Chrome"
if (-not (Test-Path $registryPath)) {
 New-Item -Path $registryPath -Force | Out-Null
}
Set-ItemProperty -Path $registryPath -Name "DownloadRestrictions" -Value $RestrictionLevel -Type DWord
Write-Output "DownloadRestrictions set to $RestrictionLevel on $(hostname)"

Run it as Set-ChromeDownloadPolicy.ps1 -RestrictionLevel 2 during imaging or via a remote execution tool. The -RestrictionLevel parameter lets you reuse the same script to relax restrictions (pass 0) on developer workstations without maintaining separate scripts.

Blocking Specific File Types

A more practical scenario for most organizations involves blocking dangerous file types while allowing safe ones. Chrome allows you to specify allowed file extensions or blocklist certain extensions.

The policy “Allowed download directories” lets you restrict where downloads can be saved. Combined with “Download directory” policy, you can redirect all downloads to a monitored location:

Set download directory to a restricted location
HKLM\SOFTWARE\Policies\Google\Chrome\DownloadDirectory = "C:\\MonitoredDownloads"
Or use enterprise-managed download paths
HKLM\SOFTWARE\Policies\Google\Chrome\DownloadRestrictions = 1

For blocking specific extensions, you’ll need to use Chrome’s content settings or a more sophisticated approach using the “ExtensionInstallForcelist” policy combined with a custom extension that intercepts downloads.

File-Type Blocking Matrix

Chrome’s native DownloadRestrictions policy is all-or-nothing at the file level. To achieve per-extension blocking you have two practical options:

Option A. Redirect to a monitored folder and scan at the OS level. Set DownloadDirectory to a shared path monitored by your endpoint security tool. All downloads land there; the security tool quarantines executables automatically.

Option B. Deploy a managed Chrome extension. A forced-installed extension can listen to chrome.downloads.onCreated, inspect the filename, and call chrome.downloads.cancel() for disallowed extensions. This gives you per-extension granularity without blocking PDFs and images alongside EXEs.

A minimal extension background script for extension-based blocking:

// background.js. block .exe, .msi, .bat, .ps1
const BLOCKED_EXTENSIONS = ['.exe', '.msi', '.bat', '.cmd', '.ps1', '.vbs'];
chrome.downloads.onCreated.addListener((downloadItem) => {
 const filename = downloadItem.filename.toLowerCase();
 const isBlocked = BLOCKED_EXTENSIONS.some(ext => filename.endsWith(ext));
 if (isBlocked) {
 chrome.downloads.cancel(downloadItem.id, () => {
 console.warn(`Blocked download: ${downloadItem.filename}`);
 });
 }
});

Package this as a CRX, host it on your internal server, and force-install it via ExtensionInstallForcelist:

Force-install the extension from your internal update server
$extId = "YOUR_EXTENSION_ID_HERE"
$updateUrl = "https://ext.internal.company.com/update.xml"
New-ItemProperty `
 -Path "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" `
 -Name "1" `
 -Value "$extId;$updateUrl" `
 -PropertyType String -Force

Using Content Settings for Granular Control

Beyond Group Policy, Chrome’s content settings provide another layer of control. You can configure these programmatically through the ContentSettings policy:

{
 "ContentSettings": {
 "plugins": {
 "plugins_disabled": ["Adobe Flash Player"]
 },
 "download_restrictions": {
 "download_restrictions": 2
 }
 }
}

Deploy this configuration through Group Policy by creating a JSON file and referencing it in your policy settings.

Combining Content Settings with URL Rules

Content settings and URL allow/blocklists operate independently but complement each other. A practical layered configuration for a mid-sized organization might look like:

Set DownloadRestrictions = 1 (block dangerous) organization-wide as a baseline.
Use URLBlocklist to block downloads from known file-sharing sites.
Add URLAllowlist entries for internal servers that must serve installers.
Force-install the extension described above for fine-grained file-type control on machines handling regulated data.

This defense-in-depth approach avoids the user friction of a full block while still closing the most common download-based attack vectors.

Enterprise Deployment with Chrome Browser Cloud Management

For organizations using Chrome Browser Cloud Management, you can configure these policies through the Google Admin console. This provides a centralized interface for managing Chrome policies across your entire organization without touching individual machines.

The cloud-based approach offers advantages for distributed teams:

Centralized policy management
Real-time configuration updates
Reporting and compliance dashboards
User-level and machine-level targeting

Cloud Management vs. On-Premises GPO. Comparison

Feature	On-Premises GPO	Chrome Browser Cloud Management
Setup complexity	Medium (requires AD)	Low (Google Admin account)
Policy propagation speed	Next GPO refresh (~90 min)	Near real-time
Works for remote / non-domain machines	No	Yes
Audit log	Windows Event Log	Admin console reporting
Cost	Included with Windows Server	Free tier available; advanced features paid
Best for	Traditional AD environments	Hybrid or fully cloud workforces

If your organization is migrating from on-premises Active Directory to a cloud-first model, Chrome Browser Cloud Management is the better long-term choice. Policies applied through the Admin console override locally set GPO values when the two conflict, so plan your transition carefully.

Blocking Downloads from Specific Domains

Sometimes you need to allow downloads from trusted domains while blocking them from untrusted sources. This requires a more nuanced approach using Chrome extensions or the “URLBlocklist” policy.

Configure URL-based restrictions:

Block downloads from specific domains
HKLM\SOFTWARE\Policies\Google\Chrome\URLBlocklist = [
 "example.com/downloads/*",
 "*.suspicious-domain.net/*"
]

For developers building internal tools, You should allow downloads only from your internal domains:

Allow only specific domains (whitelist approach)
HKLM\SOFTWARE\Policies\Google\Chrome\URLAllowlist = [
 "internal.company.com/*",
 "devtools.internal.net/*"
]

PowerShell Script for Bulk URL Rules

Managing many URL rules by hand in the registry is error-prone. This script reads a plain-text file of blocked URLs and writes them as numbered registry values:

blocklist.txt. one URL pattern per line
Usage: Set-ChromeURLBlocklist.ps1 -ListFile blocklist.txt
param([string]$ListFile = "blocklist.txt")
$blocklistPath = "HKLM:\SOFTWARE\Policies\Google\Chrome\URLBlocklist"
if (-not (Test-Path $blocklistPath)) {
 New-Item -Path $blocklistPath -Force | Out-Null
}
Clear existing entries
Remove-Item -Path $blocklistPath -Recurse -Force
New-Item -Path $blocklistPath -Force | Out-Null
$urls = Get-Content $ListFile | Where-Object { $_ -ne "" -and $_ -notlike "#*" }
$index = 1
foreach ($url in $urls) {
 New-ItemProperty -Path $blocklistPath -Name "$index" -Value $url -PropertyType String -Force | Out-Null
 $index++
}
Write-Output "Wrote $($index - 1) URL blocklist entries."

Store blocklist.txt in version control alongside your other infrastructure-as-code files. That way URL rule changes go through your normal review process rather than being applied ad hoc.

Practical Implementation for Developers

If you’re developing Chrome extensions or enterprise tools, you can programmatically check download restrictions in your code:

// Check if downloads are allowed
chrome.policy = chrome.policy || {};
chrome.policy.get(['DownloadRestrictions'], (result) => {
 const restrictionLevel = result.DownloadRestrictions;
 switch (restrictionLevel) {
 case 0:
 console.log('Downloads allowed');
 break;
 case 1:
 console.log('Only dangerous downloads blocked');
 break;
 case 2:
 console.log('All downloads blocked');
 break;
 }
});

For testing your policies before deployment, Chrome provides a policy testing tool at chrome://policy. This shows all currently applied policies and their values, making it easy to verify your configuration is working correctly.

Testing Policies in a Local VM Before Rollout

Always validate in a non-production environment before pushing to endpoints. A repeatable test workflow:

Spin up a Windows VM with a clean Chrome install.
Run your PowerShell deployment script with the target parameters.
Open chrome://policy and confirm the expected values appear with source: platform.
Attempt downloads of each file type you intend to block/allow. Confirm behavior matches intent.
Run gpresult /h gpresult.html and inspect the resulting HTML report to confirm there are no conflicting GPO entries from other linked GPOs.

Automating step 4 is possible with Playwright. A simple test that confirms blocked downloads:

// playwright-download-test.js
const { chromium } = require('playwright');
(async () => {
 const browser = await chromium.launch({ channel: 'chrome' });
 const page = await browser.newPage();
 // Attempt a download and catch the failure
 const [download] = await Promise.allSettled([
 page.waitForEvent('download', { timeout: 5000 }),
 page.goto('https://your-test-server.internal/test.exe')
 ]);
 if (download.status === 'rejected') {
 console.log('PASS: Download was blocked as expected');
 } else {
 console.error('FAIL: Download was not blocked');
 process.exit(1);
 }
 await browser.close();
})();

Integrate this test into your CI pipeline so that any change to Chrome policies is automatically validated against a live Chrome instance.

Verification and Troubleshooting

After deploying your download restrictions, verify they work correctly:

Open Chrome and navigate to chrome://policy
Look for “DownloadRestrictions” in the policy list
Check that the value matches your configuration
Attempt a test download to confirm blocking works

Common issues include:

Policy not applying: Ensure the registry key path is correct and you have administrative privileges
User-level overriding: Some users may have local admin rights that allow them to override certain policies
Conflicting policies: Check for both user and machine-level policies that might conflict

For enterprise environments, use Group Policy Results (gpresult /r) to see which policies are being applied to specific machines and users.

Troubleshooting Decision Tree

chrome://policy shows DownloadRestrictions?
 NO → Registry key is missing or wrong hive
 Check: HKLM:\SOFTWARE\Policies\Google\Chrome
 Fix: Re-run deployment script as local admin
 YES, but behavior is wrong
 Source shown as "cloud" instead of "platform"?
 Cloud management policy is overriding your GPO
 Align the cloud policy with your GPO setting
 
 Source shown as "platform"?
 Value correct but download still succeeds?
 → Chrome may not have restarted after policy write
 → Force Chrome restart or run: gpupdate /force

Additional Diagnostic Commands

Show all applied machine policies (verbose)
gpresult /scope computer /v
Export a readable HTML report
gpresult /h "C:\Temp\gp-report.html" /f
Check Chrome registry values directly
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Google\Chrome" |
 Select-Object DownloadRestrictions, DownloadDirectory
Confirm the policy is not hidden under the user hive
Get-ItemProperty "HKCU:\SOFTWARE\Policies\Google\Chrome" -ErrorAction SilentlyContinue |
 Select-Object DownloadRestrictions

When to Use Each Restriction Level

Choose your restriction level based on your security requirements:

Level	Setting	Best For	Trade-offs
0	No restrictions	Developer workstations, power users	Full exposure to malicious downloads
1	Block dangerous downloads	Most office workers	Relies on Safe Browsing intelligence; novel threats may slip through
2	Block all downloads	Kiosks, call centers, secure terminals	Disrupts legitimate workflows; requires exceptions process

Most organizations find Level 1 provides the right balance, blocking known malicious files while allowing legitimate business downloads. If you choose Level 2, build an exceptions workflow so that users with legitimate download needs can request a temporary allow-listing through your IT helpdesk without requiring policy changes that affect the whole machine.

Real-World Scenario: Regulated Financial Services Firm

A securities trading firm needs to prevent traders from downloading market data files to personal USB drives while still allowing their compliance team to download audit reports. The solution:

Default: DownloadRestrictions = 2 on all trader workstations.
Compliance team machines: DownloadRestrictions = 1 combined with DownloadDirectory pointing to a DLP-monitored network share.
Internal trading platform domain added to URLAllowlist so the web app can still trigger file saves within the browser’s sandboxed download flow.
Quarterly GPO audits using gpresult to confirm no machines have drifted from the baseline.

This layered approach satisfies both the security requirement and the operational reality that some users genuinely need download access.

I'm a solo developer in Vietnam. 50K Chrome extension users. $500K+ on Upwork. 5 Claude Max subscriptions running agent fleets in parallel. These are my actual CLAUDE.md templates, orchestration configs, and prompts. Not a course. Not theory. The files I copy into every project before I write a line of code. **[See what's inside →](https://zovo.one/lifetime?utm_source=ccg&utm_medium=cta-default&utm_campaign=chrome-block-file-downloads-group-policy)** $99 once. Free forever. 47/500 founding spots left.