From MozillaZine Knowledge Base
This article describes how to prevent specific settings from being modified from inside Firefox, Thunderbird, or SeaMonkey. This is commonly known as locking preferences.
If you're looking at a larger scale internal solution, you should consider using the Mozilla Client Customization Kit for Firefox, which supports preference locking and much more-- all packaged in an easy to use installer.
- You must first determine which settings you want to lock. This can be done multiple ways:
- A mostly complete list describing available settings can be found online on the about:config entries page (along with mail and news settings specific to Thunderbird and SeaMonkey).
- Preference settings, both user-specified and default values, are displayed in the about:config window while Firefox or SeaMonkey is running (in Thunderbird you have to invoke the Config Editor from the Advanced preferences), Settings shown here are updated as you change them in the browser.
- When the browser closes, it saves user-specified settings to the prefs.js file in the profile folder.
- If all else fails, you can ask in the forums or on IRC.
- Since it is commonly requested, we will use the browser proxy setting as an example. If you search for "proxy", you will eventually find the preference string for this option is "network.proxy.type". As described in the about:config entries article, the setting to use a direct connection is 0.
Creating the lock file
- Next, create a text file, and make the first line start with double forward slashes. On the next line(s), add the preferences you want to lock. The format of these lines is similar to that found in prefs.js, except that lockPref is used instead:
- Save the file as mozilla.cfg in your your installation directory (where the firefox, thunderbird, or seamonkey executable is located)
- The mozilla.cfg file should be saved ANSI encoded.
- This document (like many references throughout the web) previously recommended encoding this file as ROT13. This requirement is not mandatory and can easily be circumvented when loading the lock file (see below).
Other uses for the mozilla.cfg file
In addition to locking preferences and disallowing changes with
lockPref(); lines, you can use the mozilla.cfg file to make other preference changes. You can set a new default value for a preference by adding a
defaultPref(); line (related bug 786875). You can also modify a preference but allow it to be changed or reset in the current session by adding a
pref(); line (as shown here, for example).  
Loading the lock file
Finally, you must tell the application to load the lock file. Create a new file (eg "local-settings.js") in the defaults/pref subfolder of the installation directory.
- Open the "local-settings.js" file in a text editor and add the following line to the bottom, which points to the newly created lock file.
pref("general.config.obscure_value", 0); // only needed if you do not want to obscure the content with ROT-13
- Save the change and completely restart the application. Now, all of the prefs listed will be locked.
- The local-settings.js file should be saved ANSI encoded.
- This document previously recommended modifying the "all.js" file in the greprefs subfolder. Doing so breaks application updates whenever all.js must be updated (more details are given in bug 448504). Furthermore, in current versions of Firefox, Thunderbird, and SeaMonkey, all.js is now packaged as greprefs.js in the omni.ja file found at top level of the installation directory.
- While most files previously located in the defaults/pref directory are part of the zipfile omni.ja, you can still place the file local-settings.js in the defaults/pref folder where also the channel-prefs.js file is located (see bug 595522).
Verifying the lock
- To verify that the preference is actually locked, go into the Config Editor again after the restart (e.g., by typing "about:config" into the browser's location bar) and look up the preference.
- If the lock was successfully applied, the entry appears in italic and should state locked in the status column.
When a preference is locked, its GUI elements (checkboxes, buttons, etc.) are just grayed out like disabled items. Since these settings can no longer be changed by the user, you may want to prevent them from being shown at all in the GUI. Be careful though as dependent elements may still need to be accessible unless their preferences are locked as well. This purely cosmetic change can be done by modifying userChrome.css after identifying the CSS selectors associated with the respective GUI element.
Restricting file access
A user who can modify local-settings.js can obviously remove the lock file reference and change those settings. Revoking write authority from the user for local-settings.js would prevent this. However, it should be noted that doing this may prevent the user from upgrading the application in the future, as new major versions may contain changes to related files (such as "all.js").
Since it is possible to completely bypass locked preferences by running a separate version of Firefox, Thunderbird, or SeaMonkey (or a completely different application) from a different location, it may be necessary to restrict which programs can be run. However, at this point, it is probably a good idea to examine exactly why you are locking the preferences in the first place. If the intent is to protect users from themselves, or to keep novice users from breaking their software, then you have probably done enough. However, if you are trying to secure your network using client-side settings, then you should realize this is very difficult, and ultimately wastes too many resources. Instead, you should probably redirect your efforts to the server/router where you can fight battles that are more easily won.
To unlock all preferences, remove the entry you added earlier from the "local-settings.js" file and completely restart Firefox, Thunderbird, or SeaMonkey.