Disabling Adobe Reader JavaScript Across the Domain

Adobe Reader is a bloated piece of software. For virtually no good reason it has a JavaScript engine in it. Adding a scripting language to a piece of software that doesn't need a scripting language is a good way to spread security problems. The script kiddies find ways of leveraging the power of the scripting language to do bad things. Adobe Reader has had just such security problems. Networks are compromised by tricking people into opening an infected pdf file that exploits a bug in the JavaScript engine. This bug is now is now fixed, but who knows how many other similar bugs exist in the JavaScript code in Reader. For this reason it is a really good idea to disable the JavaScript in Adobe Reader.

The question becomes, how do you enforce this across the domain. There is a nice article that describes exactly how to do this at this url: http://fabienduchene.blogspot.com/2010/01/disabling-adobe-javascript-using-gpo.html

I have updated the policy just a little to account for Adobe Reader 10.x. My content of the policy looks like this:

CLASS USER

CATEGORY "Adobe Reader"

POLICY "JavaScript Reader 9.x"
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Reader 10.x"
KEYNAME "Software\Adobe\Acrobat Reader\10.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 10.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

END CATEGORY