steviex wrote:Wouldn't setting xpinstall.enabled in about:config to false accomplish much the same thing ?
No. That would, and does, block remote (websites) installs only, apart from the Mozilla Addons site.
********
I've tested this extension/theme blocking method, that I outlined above, on copies of real profiles that had 20 or so existing extensions and used every trick I knew to corrupt the profile, but it was fine. However, backing up your profile before doing this is a very good idea.
With this method of Read Only status, it should be noted that the 'Not compatible with...' messages that are shown in the Addons Manager are meaningless. Firefox only has a certain number of error messages, finds it cannot write to this file and ... ..thinks..'I'll show the old non-compat message, that'll have to do.' Just select Uninstall to get them to vanish out of the Addons Manager.
Vanilla is right when he states that a determined exe could change the ReadOnly attribute back, but do remember that the profile names are encrypted, so the pathing to these is not over easy.
Finally, I suggest making a note somewhere if you change to 'Read Only' status on the extensions.rdf as these things are pretty easy to forget in the future.
Onwards...
************
Plugins.
A short intro and then into KB mode I think, as this one is a bit more complicated to sort. (20 mins max)
Although the Firefox profile's pluginreg.dat does indeed contain a list of plugins, altering the attributes here will achieve zilch. This is because plugins are applied globally and are not profile specific. Therefore, to suppress the Firefox recognition of rogue plugins, we need to take a global approach to revert the very thing that was intended to make things easier, i.e. plugin auto detection.
so...
1. Check this out - http://kb.mozillazine.org/Plugin_scanning
2. Enter about:config in urlbar and enter the term 'plugin' in the searchbar -
3. Select plugin.expose_full_path, right click and toggle to true.
4. In a new tab, enter about:plugins in the urlbar. Copy the folder path of the Mozilla Default Plug-in (C:\Program Files xxxxxxxxxx\xxx\plugins or whatever) and enter this path into the Address bar of Windows Explorer (i.e. your local file browser), this will take you straight to the correct destination folder for stages 6 onwards.
5. Back to the about:plugins webpage. You now have a choice as to whether to leave the Java (SunJRE), Acrobat, WMP, Quicktime stuff alone or not. If you do want to limit these, then follow the about:config changes for these detailed in the KB link above.
6. In about:plugins, copy the folder paths of the plugins you wish to keep, i.e. C:\WINDOWS\system32\Macromed\Flash\ and paste that path into your local file browser. Copy the required .dll, in this case NPSWF32.dll, and paste this .dll into the Firefox application plugin folder (see Stage 4) Repeat this process for all required plugins.
7. Return to about:config and select plugin.scan.plid.all, right click and toggle to false.
8. Restart Firefox, plugin auto detection is now disabled, your desired plugins are in the correct folder and, er, you're done.
******
Notes:
a. When you update, say Flash, you will have to move the new Flash .dll over, but remember that about:plugins will not be showing you the path to the original location any more...so make a note of it now!
b. I've tested all this using Silverlight (nice small download ) and all works fine. Be aware, however, that in theory (?) rogue plugins could try to install directly into the Firefox application plugin folder. This could be prevented (?) by having the Firefox application in an unexpected location, i.e. not C:\Program Files. This is easy when, as I do, using .zip builds, but may be quite a chore for installers. Suggest we cross this bridge when/if we come to it. Meanwhile, just keep an eye on the Plugins section of the Addons Manager for suspect plugins.