You may already be aware there is a pretty serious vulnerability with Java that has just been patched (see Security Alert for CVE-2013-0422 Released ) on pretty much all versions of the program. For some people however this may get them questioning if they need Java installed at all on their computers. Personally I have uninstalled Java off my friends and family computers for the past few years without anyone every complaining. Certainly other Microsoft MVP;s are also finding that having Java disabled in the browser seems to have little of no affect (see https://twitter.com/troyhunt/status/290589939782000641 ) as most web sites no longer user Java applets. However as an avid gamer IT Professional I am fully that some programs require Java to be installed to allow the full desktop apps to work (like Minecraft). So you may be please to know there is a way to Disable Java in Internet Explorer thus greatly reducing the risk of having Java installed…
While Java is not normally configured via a registry thanks to @rickd4real (Via) @stealthpuppy I have been able to extract the Group Policy Preference Registry file that you can quick import into your GPO to disable Java in IE for Users of Computers.
Disclaimer: Use at your own risk. I am trusting the registry keys provided are sufficient to disable Java.
Update: Additional info at Microsoft KB : http://support.microsoft.com/kb/2751647
Another Test Comment
Warning! Using Disable_JAVA_Toolkit_v1 HKCU\..\1c00 setting is not applied: neither changed (if exists), not changed. Also http://java.com/en/download/installed.jsp?detect=jre shows “An old version of Java has been detected on your system.”, but “test the currently installed version of Java” fails to run add-on.
Why the heck this user setting is not applied by GPO?
Is it enough protection against running Java in the browser with HKLM\..\ActiveX Compatibility settings applied but without the user setting?
What does key 1c00 value 0 in “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3” mean? What do other values for the key (I’ve seen 0x10000 do)?
http://support.microsoft.com/kb/2751647/ doesn’t explain this.
Thank you!
The Microsoft KB article says that it can be done via either apply the User or the Computer setting. As I said in the post… This goes without warranty and you should test yourself. But if you Java Checker web site is saying the add-on fail’s to run this is a good sign that Java has been blocked in IE. Hope it helps.
Can these be imported into GPO settings in a Server 2003 environment?
If so any procedures I can follow, thanks.
Yes. If you have the client side extentions applied they will work in 2003..
How could I undo the settings in GPO?
Removed the link and setting in GPO but still not able to run JAVA in IE.
I need to enable the settings back to normal.
Thank you,
Change the action to Delete… I think… BUT TEST FIRST!!!
Hello! I’ve been testing this and it appears that the Object tags are not correctly blocked since the registry keys referred to in KB2751647 only reference a few Java 1.7 versions for the most part. I ran a test where I used the Object tag to call a Java 1.6 plugin along with the registry keys provided and I unfortunately found that it was allowed to run successfully, i.e. it was not blocked as I expected it to be.
If you are aware of any other ways to easily block access to the Object tag without creating killbits for each Java version, that would be appreciated.
Thanks!