How To Disable Java In IE

 Posted by on November 5, 2011  general, IE
Nov 052011
 

The methods below disable Java from running in most online tests e.g. Oracle’s Java test page here. However, new research from US CERT reveals that there are other (far more complex) methods required to completely disable Java from running in IE in all circumstances.

Updated January 2013if you want to disable Java in ALL web browsers (but keep using it for offline apps) the latest Java 7 Update 10+ includes a new Security Panel which makes it easy to disable Java content in ALL web browsers.

If you wanted to disable it for IE only, we now recommend uninstalling Java completely or using a different web browser (e.g. Firefox or Chrome) to reduce the risk of malware attack.

Java is installed as an add-on in Internet Explorer but, unlike Firefox and Chrome, it is impossible to disable Java from within IE itself - IE8 and IE9 ignored every option we could find to disable Java and continued to run Java applets (programs) regardless. This is a major security flaw in IE as people would think they had disabled Java when in fact they hadn’t – so Java exploits (e.g. Trojans) could still run amok on their computer :-(

If you just want to find out quickly how to disable Java in IE8 or IE9, skip to the next section below which gives our final solution – but, for those who are interested, here is what we did to try to forcibly disable Java in IE – on XP, Vista and W7. All failed to stop Java running…

  • In the menu bar, we clicked ‘Tools’ then ‘Manage Add-Ons’ and changed the ‘Show’ filter to to show ‘All Add-ons’. We disabled all the add-ons under Sun Microsystems (including the Java Deployment Toolkit, isInstalled Class and Java plugins etc) – Java still ran quite happily.
  • In the menu bar, we clicked ‘Tools’ then ‘Internet Options’ then ‘Advanced’ and unticked ‘Enable third-party browser extensions’ – didn’t make any difference, Java still ran which is strange as Oracle is most definitely a third-party.
  • In the menu bar, we clicked ‘Tools’ then ‘Internet Options’ then ‘Security’ then ‘Custom Level’ for the Internet zone and set ‘Scripting of Java applets’ to Disable. We had high hopes for this one but it also failed to stop Java running loose in our browser.

An average user could reasonably have expected that just one of these steps would have worked, never mind all three together. But IE8 and IE9 ignore the user’s efforts to disable the Java add-on, leaving a gaping hole in their security.

How To Disable Java in IE (Updated August 30th 2012) – The two methods below may not disable Java in all circumstances and therefore may not protect against malware attacks such as this week’s new 0-day Java Security Flaw. [see US-CERT.gov for a detailed list of the steps required to totally disable Java - they are extensive and very complex]

For this reason we now recommend uninstalling Java completely or using a different web browser (e.g. Firefox or Chrome) to reduce the risk of malware attack.There are 2 alternative methods – a registry tweak and a Java Control Panel tweak.

Registry Tweak – Advanced Users. Be careful when editing the registry – create a system restore point first.

To disable Java in IE, close IE and then use Regedit to open the Registry and change the value of the UseJava2IExplorer registry key to 0 (zero) instead of 1.

Depending on the version of Windows and the Java plug-in, this key can be found in one of these locations:

  • HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer

Open IE and test Java – you should find it is now disabled – at least as far as online tests are concerned. If you want to re-enable Java in IE just change the registry key value back to 1

Java Control Panel Tweak

1. Close IE
2. XP – click Start then Control Panel then double click ‘Java’ (switch to ‘Classic View’ if you can only see Categories View in Control Panel) to open the Java Control Panel. Skip to step 4
3. Vista/W7 – via Oracle’s instructions (for Java 6 but applies to Java 7 too) you need to run the Java Control Panel from an elevated command prompt (even if your user account is already an administrator):

Click Start and in the Start Search box, type command. A list of matches will appear above. Right-click ‘Command Prompt’ in the Programs list then click ‘Run as administrator’.

In the Command Prompt window type the full path to the javacpl.exe (Java Control Panel) file and press Enter to run it – this will open the Java Control Panel in full administrator mode.

Note: the full path could be “c:\Program Files\Java\jre7\bin\javacpl.exe” (32bit Windows) or “c:\Program Files (x86)\Java\jre7\bin\javacpl.exe” (64bit of Windows) – substitute jre6 for jre7 if you still have Java 6 installed.

4. In the Java Control Panel, click the ‘Advanced’ tab
5. Expand (click the + sign next to) ‘Default Java for browsers’ – you should see ‘Microsoft Internet Explorer’ listed below it
6. Untick the ‘Microsoft Internet Explorer’ checkbox and click the ‘Apply’ button

Tip: In W7 and Vista the checkbox is greyed out so you can’t use the mouse/cursor to untick it. Select the Microsoft Internet Explorer entry with the cursor to highlight it then press the spacebar to untick the checkbox. In XP the checkbox isn’t greyed out so you can use either the cursor or spacebar.

7. A ‘Success – Browser’ message appears – click the OK button to return to the Java Control Panel and click the OK button to close the Java Control Panel

Open IE and test Java – you should find it is now disabled – at least as far as online tests are concerned…

Tip: to double check if Java is disabled, visit the Java test page here. If Java is disabled you should see a message ‘No working Java was detected on your system’ followed by an offer to download it and a message ‘Something is wrong. Java is not working’.

If you want to re-enable Java in IE, follow the same steps but this time tick the ‘Microsoft Internet Explorer’ checkbox (using Spacebar in Vista/W7) and click the ‘Apply’ button – Java will now start working again after you restart IE.

Tech note: this Control Panel tweak is simply a user interface way to apply the registry tweak above… If you check in Regedit afterwards you will see that the UseJava2IExplorer value has changed from 1 to 0 as a result.

Uninstall Java Completely?

Our preferred solution is to totally uninstall Java from your computer if you don’t need it. Unfortunately some offline programs e.g. the popular LibreOffice program (best free alternative to Microsoft Office) require Java for some features.

If you do still need it for offline programs we therefore recommend keeping Java up to date but disabling it in your web browser(s) – because it is almost impossible to disable totally in IE we highly recommend switching to a more secure (and faster) browser like Chrome or Firefox.

IE’s inability to disable an add-on from running is a major security risk – in our view that is yet another good reason to avoid using IE.

To disable Java in Google Chrome see here and to disable Java in Firefox see here.

  28 Responses to “How To Disable Java In IE”

  1. this doesnt surprise me, IE is so bad. I’ll stick with firefox, wouldn’t wish ie on my worst enemy!

    • Of course, you haven’t TRIED IE since 6.0, yet like all children still think you are qualified to judge it. And hilariously..you still use Firefox and think that makes you superior.. There is a REASON why Firefox’s market share is tumbling.

      • Yes there is a reason – and it’s called Chrome. IE market share has tumbled way faster than Firefox despite having the advantage of being the native Windows browser.

        Whatever, IE is the ONLY major browser which is not able to securely disable Java (oh, and I’m a frequent user of Chrome/Firefox/IE9 and IE10).

  2. A Windows 7 restricted user is not authorized to disable Java from Internet Explorer using the Java Control Panel.

    • Good point Michael, admin rights required. Having said that, virtually all the W7 home users we see still use admin accounts – we’re not so concerned about businesses as they will likely use group policy to manage settings like this anyway.

      We do encourage our home users to use a standard user account in W7 (it’s often a losing battle!) but in reality we hardly ever see one. It’s a shame that Microsoft default the first W7 user to be an admin account as that’s what most people use – and if they create a new account they tend to just give it the same rights as their current one…

  3. Is it possible that the reason IE8/9 fails to disable Java is java itself? I know I’ve been able to disable the Java plug-in in the past (though it was an accident).

    When I was developing some group policies to control Internet Explorer settings, I neglected to notice that the default setting of the group policy was to disable java. It apparently worked because I had a number of complaints when I first rolled it out and I later discovered my error.

    It was a few years ago, so I don’t recall what version of Java we were using at the time, but it probably was 6. So is the reason Java so stubborn because of some change Oracle made when they changed ownership?

    • Can’t say for sure but if it was a few years ago (and in a company) perhaps you were using IE6 or 7 rather than IE8/9?

      Either way, it shouldn’t really matter what Java tries to do – IE as a web browser should be able to disable any plugin from running (if you choose to), for basic security reasons, regardless of the wishes of the plugin…

  4. Hi,

    Thought I finally found the solution I have looked for, since I have also noticed that Java seem to be impossible to disable from the browser itself.

    However, unfortunately not even the method to disable Java from Internet Explorer using the Java Control Panel worked for me. I am logged in using an administrator account but I never get the ‘Success – Browser’ message’ and when I click the OK or Apply button the checkbox is ticked again.

    I am using W7 professional swedish version.

    • Are you able to actually untick the checkbox?

      If so and you still have no joy, I wonder if your Java settings are managed by Group Policy set as part of a corporate domain – the fact you have W7 Professional rather than Home Premium suggests that it might be?

      Unfortunately I don’t have W7 Pro to test this myself, works ok on Home Premium.

      • Yes, I am able to untick the checkbox using the spacebar, but after I have clicked the OK or Apply button, closed the Java Control Panel and then return again the checkbox is ticked.

        It is my personal computer at home office so I don’t think it is managed by Group Policy as far as it is not a default setting (I don’t know how to get the computer managed by Group Policy).

      • I have Java 6 Update 31 x86 (1.6.0_31-b05) installed on a Windows 7 Ultimate SP1 x64 machine with working plugin in Internet Explorer 9.
        Because of the frequent Java vulnerabilities warned about lately I decided to temporarily turn off the Java plugin in my browser, or let it prompt me whenever a Java applet is requested to start.
        It seems however that whatever I do the Java test page keeps telling me that Java is installed and working properly!

        I have:
        – Internet Explorer x86 -> Internet Options -> Security -> Internet: Custom Level -> Scripting: Scripting of Java applets: DISABLED
        – Internet Explorer x86 -> Manage Addons: All add-ons: ALL under Sun Microsystems, Inc.: DISABLED
        – Java Control Panel -> Advanced -> Default Java for browsers: Internet Eplorer is ENABLED BUT GREYED OUT. I can though DISABLE it by pressing the spacebar but upon applying I get the Error: Unable to change browser settings

        This really frustrates me, I just cannot seem to disable the damn plugin. Anybody have an idea? Any help much appreciated.

      • It appears that Java changes in July stopped my original method working.

        I have just updated the article (August 29th) with 2 new methods to completely disable Java in IE – tested working on IE9 on W7 64bit so should resolve your issue

        Do post back if it works for you – should do but I don’t have W7 Ultimate handy to try it

      • Yes, that does it, thank very much Roy! Funny that I already tried to find a file like java.cpl to run in an elevated prompt, but just couldn’t find it.

        I turned all the other options in IE back on and still the plugin does not work, so it seems the only way (and only thing needed) to disable the plugin in W7 is by disabling the Default Java for browsers > Microsoft Internet Explorer option in an elevated control panel.

        I am a programmer, for over 20 years, a power user. That said how are “regular” computer users going to find out how to disable Java in their browser, even if they barely know how to start the browser in the first place? And how unreliable is it that when you disable Scripting of Java applets and 6 Sun addons Java still works? Ridiculous…

      • A slightly easier method for the majority of users is probably the following:
        – create a shortcut to javacpl.exe, e.g. in your Start Menu
        – right-click it, click Advanced and enable “Run as administrator” and press OK twice. You probably need to be an administrator at this point (member of group Administrators), or hopefully a UAC prompt follows
        – now you can use this shortcut to open the Java control panel instead of from the Windows control panel.

      • javacpl.exe is a protected OS file (hidden by default) – you won’t find it unless you unhide OS files via Folder Options.

        I agree – behavior of IE is appalling (nothing new there!) and misleading security in ignoring the disabling of an addon.

        Sadly, US-CERT updated their vulnerability info overnight – the new method above is only part of what is required to disable Java FULLY in IE (disables applet calls but not embed or object calls). I’ll update later today but basically my advice will change to ‘use another browser or uninstall Java’…

  5. hello all,

    I belong to a group called Yahoo! Answers, where I answer questions on how to get back to Yahoo! Classic Mail.
    Came here looking for answers on how to disable the scripting for all browsers.

    All your suggestions worked great except for the IE.

    I have admin rights and the above didn’t work for me either, so there is some kind of over ride.
    I have Windows 7, Home edition.

    This is what worked for me:

    In Internet Explorer 7/8, from the Tools drop-down list, select Internet Options.
    In Internet Explorer 9:
    In the upper-right corner, click the gear icon.
    From the drop-down list, select Internet options.
    Select the Security tab.
    Click the Custom level… button.
    Scroll to the Scripting heading.
    Select the appropriate radio button.
    To enable JavaScript, under Active scripting, select the Enable radio button.
    To disable JavaScript, under Active scripting, select the Disable radio button.
    Click OK.
    Click the Yes button.
    Click OK.
    I found that on this other web site:
    http://answers.vt.edu/kb/entry/2083/

    Take care,
    Barbara

    • your solution disables Javascript but that is not the same as Java. are you sure you meant to disable it?

      Oracle Java is an optional plugin used by a few sites, mainly games/calculators. if the solution in the post doesn’t work just uninstall java – disabling javascript will not disable java

      Javascript is integrated into browsers and used by almost all sites – disabling it may be good protection from malicious sites but can also cause many safe sites to stop working…

  6. Thank you, I did figure out along the way before getting here that Java and Javascript are not the same thing.
    Funny thing is all the other suggestions here on this website, for the other browsers helped me to figure out how to disable the Javascript. Thank you to those.

    After disabling and getting what I wanted back, Yahoo mail Classic version, I enabled it again as the email and a few other sites didn’t want to work properly without it enabled.

    Thanks again,
    Barbara

  7. For more on this see

    Defensive Computing with Java
    June 20, 2012
    http://blogs.computerworld.com/applications/20562/defensive-computing-java

    • Great article Michael.

      I found 2 new methods to completely disable Java in IE – tested working on IE9 on W7 home prem 64bit but can’t see any reason why it wouldn’t work on W7 Pro too

  8. Hi,

    We’re confronted by an issue where we install JRE 6 to run a Java Windows applications for our business, but have no need for the Java web plug-in. We have managed to disable the Java web plug-in for IE and other browsers (Firefox / Chrome) by creating a group policy object which denies read / execute for users and administrators on the following files:

    C:\Program Files\Java\jre6\bin\dtplugin\npdeployJava1.dll
    C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
    C:\Program Files\Java\jre6\bin\jp2iexp.dll

    C:\Program Files (x86)\Java\jre6\bin\dtplugin\npdeployJava1.dll
    C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
    C:\Program Files (x86)\Java\jre6\bin\jp2iexp.dll

    The latter group of files is for the case where you have the 32 bit Java installed on a 64 bit Windows machine.

    Cheers,
    Andrew

    • Thanks for that Andrew, good idea to try disabling the browser plugin.

      I can’t test it on group policy but you may also need to disable/remove the old Java plug in as well as the next gen plugin jp2iexp.dll

      “If the next-generation Java plug-in option is disabled, Internet Explorer will use the traditional Java plug-in, which operates within the process space of the browser. The Java plug-in can be disabled by removing any instance of the npjpi{version}.dll file”

      See the US CERT link in first paragraph of article for more details – there may be other files to disable too…

  9. Microsoft has excellent documentation that explains the “I’ve disabled it but Java still runs” problems that have you all scratching your head (even the clueless hater “Tired of Windows”).

    http://support.microsoft.com/kb/2751647

    And you keep saying how “appalling” it is the IE ignores your setting to disable an add-on but that isn’t true. IE is doing EXACTLY what it is supposed to do, disable the ActiveX control (which controls use). The fact that there is a second method for using applets, , is orthogonal to your complaint. Unless you believe Microsoft is supposed to provide the interface for setting the behaviors of a 3rd party’s (Oracle) hook into their browser? No, this problem rests squarely on Sun/Oracle for not providing the granularity (and documentation) needed to control all aspects of their Java plugin.

    What I see in this article (and to some degree in the comments) is a lot of finger-pointing, hand-wringing and pseudo-“power user” chest-thumping, but very little actual understanding of the problem.

    • Since the comment form mangled the use of tag names I’m reposting that section…

      Java can be invoked from APPLET tags (deprecated but still used on most websites) and from OBJECT tags. Disabling the ActiveX control from within the “Manage Add-Ons” will *NOT* prevent APPLET tags from working because the ActiveX control CLSID is only used for OBJECT invocation.

      Alternatively you can leave the ActiveX control enabled but limit which sites which are allowed to use it (and therefore Java via OBJECT) by editing the “Approved Sites” list found under…

      HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8AD9C840-044E-11D1-B3E9-00805F499D93}\iexplore\AllowedDomains

      …but of course this will not affect use via APPLET.

      That Microsoft KB article also explains how to disable APPLET support for specific security zones. This will also let you whitelist (sort of) sites for using APPLET. You can enable it in a specific zone (e.g. “Trusted Sites”) and then place the sites you wish to be able to use APPLET into that zone. Unfortunately that means those sites also get all the other relaxed-security benefits that come along with the higher privileged security zone (so it isn’t as granular as the ActiveX control “AllowedDomains’ mechanism).

      Roy, in your article you say “…set ‘Scripting of Java applets’ to Disable” … “Any one of these steps should have worked…”

      No, disabling of “Scripting of Java applets” will not disable the use of either APPLET nor OBJECT. Just the ability to use JavaScript to control a Java applet.

      And you keep saying how “appalling” it is the IE ignores your setting to disable an add-on but that isn’t true. IE is doing EXACTLY what it is supposed to do, disable the ActiveX control (which controls OBJECT use). The fact that there is a second method for using applets is orthogonal to your complaint. Unless you believe Microsoft is supposed to provide the interface for setting the behaviors of a 3rd party’s (Oracle) hook into their browser? No, this problem rests squarely on Sun/Oracle for not providing the granularity (and documentation) needed to control all aspects of their Java plugin.

      • Slagging off other commenters does nothing to help your argument.

        You say it is not MS fault even though Java bypasses all UI attempts to disable it in IE? MS have had years to either fix this in the UI or (if you believe it is all down to Oracle) IE should have simply blocked Java as a security risk. Either way, IE fails on plugin security:

        1. US-Cert found that the original Microsoft KB article you reference did NOT fully disable Java
        2. Java is both an Addon and a 3rd party extension – regardless of how IE technically implements applets and objects, any user should be entitled to expect that those settings in the UI will disable Java.

        3. Yes, the root of problem may lie with Oracle but your definition of IE ‘doing what it is supposed to do’ is not mine – IE can’t abdicate all responsibility for plugin security, especially one installed on c 75% of Windows computers.
        4. Firefox/Chrome etc have no such problems totally disabling Java (in all its forms) via their UI, funny that…

      • A Microsoft user sounding like a Nix zealot. Roy is right. The buck stops with Microsoft. A one-click way to globally disable Java shouldn’t be rocket science in Redmond.

  10. Folks I have been computing since the early days of Commodore. I am a user not a programmer or tech. However I consider myself knowledgable about computers. That said, I must admit, other than some early program writing etc. I stayed away from entering that realm of endeavor because of work/family constraints. I agree with the comments that MS or Oracle or both together should have worked this out before now so that all of us majority users can safely use our computers. I still use Win XP Home Ed. I have relatives who were in on the early days of computer developement in Ca. I would like to see you techs stick together and bring pressure to bear on the ones who can correct this problem…MS and Oracle.

    • @Mike – hi, thanks for the comments. I think Oracle and MS are getting the message now – Java had such bad press in recent months (even the US govt. advised uninstalling it) that some progress is being made.

      The new Security Panel in version 7 update 10+ makes it easy to disable Java in all browsers now, ideal for users who only need it for offline apps. However, there’s still no easy way to disable it just for IE – hopefully MS are working on that side of things.