BlockMyself
Browser policy

Lock down the browser settings people usually change.

Use system-level browser policy when normal settings are too easy to reverse.

Chrome Edge Firefox DoH off

Use policy when settings are too easy to change

Browser policy is useful when you need the browser to refuse certain changes from the daily account: DNS-over-HTTPS, URL blocklists, URL allowlists, extension installs, guest profiles, and developer tools.

  1. Decide which browsers are allowed to remain installed.
  2. Remove browsers that you do not intend to manage.
  3. Apply policies from an administrator account, MDM, Group Policy, or system-level policy file.
  4. Verify inside the browser's policy page.
  5. Run the browser section of Test your setup.

Choose a browser strategy

StrategyUse whenMain controls
One managed browserYou can remove all other browsers.Default browser, URL policy, DoH off, extension blocklist, app-install restrictions.
Allowed-browser setYou need two or three browsers for work or school.Apply policy to each browser and block installing unmanaged browsers.
Allowlist modeBlocklists keep failing.Block all URLs with * and allow only needed sites.
Network-firstMany devices or apps need coverage.Router DNS enforcement plus browser DoH/DoT policy.

Google Chrome / Chromium policy

Chrome policies can be verified at chrome://policy. Restart Chrome after applying policy, then click Reload policies.

Recommended policies

  • DnsOverHttpsMode: off
  • URLBlocklist: domains or * for allowlist mode
  • URLAllowlist: required exceptions when using allowlist mode
  • ExtensionInstallBlocklist: *
  • ExtensionInstallAllowlist: only extensions the trusted person approves
  • BrowserGuestModeEnabled: false
  • IncognitoModeAvailability: disabled if private windows are a bypass in your setup

Verify

  1. Open chrome://policy.
  2. Click Reload policies.
  3. Confirm each policy appears.
  4. Confirm Status is OK.
  5. Try to change Secure DNS, install an extension, open a blocked site, and use a guest profile.
Linux JSON example

For Google Chrome, place a managed policy file under /etc/opt/chrome/policies/managed/. For Chromium, many distributions use /etc/chromium/policies/managed/.

{
  "DnsOverHttpsMode": "off",
  "URLBlocklist": [
    "*://*.example-blocked.test/*",
    "*://example-blocked.test/*"
  ],
  "ExtensionInstallBlocklist": ["*"],
  "BrowserGuestModeEnabled": false,
  "IncognitoModeAvailability": 1
}
Windows Registry example for Chrome

Run from an elevated PowerShell or deploy by Group Policy/MDM. Replace the example domains with your own list.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"DnsOverHttpsMode"="off"
"BrowserGuestModeEnabled"=dword:00000000
"IncognitoModeAvailability"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\URLBlocklist]
"1"="*://*.example-blocked.test/*"
"2"="*://example-blocked.test/*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlocklist]
"1"="*"
Allowlist mode example

Allowlist mode is strict. It can break sign-in, updates, embedded content, payment flows, work tools, and school portals until you add the required domains.

{
  "URLBlocklist": ["*"],
  "URLAllowlist": [
    "https://example-needed-site.test/*",
    "https://accounts.google.com/*",
    "chrome://policy"
  ]
}

Microsoft Edge policy

Edge policies can be verified at edge://policy. Edge uses policy names similar to Chromium, with Microsoft policy locations.

Recommended policies

  • DnsOverHttpsMode: off
  • URLBlocklist and URLAllowlist
  • ExtensionInstallBlocklist: *
  • BrowserGuestModeEnabled: false
  • InPrivateModeAvailability: disabled if private browsing is a bypass

Windows Registry example for Edge

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
"DnsOverHttpsMode"="off"
"BrowserGuestModeEnabled"=dword:00000000
"InPrivateModeAvailability"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\URLBlocklist]
"1"="*://*.example-blocked.test/*"
"2"="*://example-blocked.test/*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallBlocklist]
"1"="*"
Microsoft Family Safety web filtering is Edge-centered. If the daily user can install or use another browser, use app restrictions, standard-user accounts, and browser policy.

Firefox enterprise policies

Firefox policies can be verified at about:policies. The common local method is a policies.json file in the Firefox distribution folder.

Common local paths

  • Windows: C:\Program Files\Mozilla Firefox\distribution\policies.json
  • macOS: /Applications/Firefox.app/Contents/Resources/distribution/policies.json
  • Linux: /usr/lib/firefox/distribution/policies.json or your distribution's Firefox install path

Useful Firefox policies

  • DNSOverHTTPS: disable and lock DoH.
  • BlockAboutConfig: block about:config.
  • BlockAboutProfiles: block profile switching tools.
  • DisableDeveloperTools: remove developer tools.
  • ExtensionSettings: block extension installs or allow only approved extensions.
Firefox policies.json example 
{
  "policies": {
    "DNSOverHTTPS": {
      "Enabled": false,
      "Locked": true
    },
    "BlockAboutConfig": true,
    "BlockAboutProfiles": true,
    "DisableDeveloperTools": true,
    "ExtensionSettings": {
      "*": {
        "installation_mode": "blocked"
      }
    }
  }
}

macOS, iOS, and MDM note

Apple devices are strongest when settings are enforced by a configuration profile, supervision, or MDM that the daily user cannot remove. A normal personal profile is only friction if the daily user can remove it.

  1. Use Screen Time first for built-in content and app restrictions.
  2. Use a standard daily account on Mac.
  3. Use browser policy for Chrome, Edge, and Firefox if those browsers remain installed.
  4. Use an Apple configuration profile or MDM for stronger DNS, web content, app restriction, and profile-removal controls.
  5. Have the trusted person or organization own the MDM/admin account and recovery path.

Official policy references

Chrome URLBlocklist and URLAllowlist

Google's guide for blocking and allowing URLs and verifying at chrome://policy.

Chrome Enterprise policy list

Policy names and supported platforms for Chrome.

Edge DnsOverHttpsMode

Microsoft's policy reference for disabling DNS-over-HTTPS.

Microsoft Edge policies

Full Edge policy reference.

Firefox policy reference

Mozilla's policy documentation for enterprise Firefox controls.

Firefox policy templates

Mozilla's policy-template project and deployment notes.

Use these when you need a checklist, a specific bypass closed, or a clearer handoff plan.

Test your setup

Browser, DNS, mobile data, recovery, and reset-path tests.

Setup recipes

Direct paths for phones, laptops, technical users, and whole-home setups.

Recovery audit

Find passwords, backup codes, router logins, and reset paths.

Browser policy

Chrome, Edge, and Firefox policy examples.

Mobile data

Close cellular, Private DNS, VPN, and hotspot gaps.

Apps and platforms

Search, YouTube, social apps, app stores, TVs, and in-app browsers.

Router recipes

DNS enforcement, guest networks, IPv6, Pi-hole, and AdGuard Home.

Urge plan

What to do before trying to bypass.

Trusted handoff worksheet

Printable inventory for passcodes, recovery paths, and refusal rules.

Glossary

Plain-language definitions for DNS, DoH, VPNs, MDM, recovery keys, and more.