Summary
Despite a Policy stating that MSI and EXE files should not be downloadable, they can be in some cases. For example, the client is able to download Chrome.exe even if the EXE file download is blocked. This occurs when the client adds certain headers to the Policy, allowing Chrome and Mozilla to be downloaded.
Solution
The reason the googlechrome.exe download is not blocked is because the google.com request header will match before an 'extension' match is found for the same URL.
The recommended way to resolve this issue is to use a 'Proceed To List' rule.
1. Create a List with these entries
* --> default list action → “add the header”.exe --> Deny.msi --> Deny
2. Add a Policy to the Local List and set the action to Proceed to the List created at the top.
As always, it is recommended to test your new rule after implementation.