Only a handful of our (100 strong) IT team has it installed. I can't live without it. However, we still have to use IE or FF for certain intranet apps, as Chrome doesn't handle/render those apps correctly. (Or rather, yes I know, the pages aren't build to exacting standards - regardless, the problem exists)
You then have to consider this situation with non-technical users. Are you going to default Chrome? If so, how are the users going to know when it hasn't rendered a page correctly? How will they know to open IE or FF instead? To them, "it's all the interweb thing isn't it?".
I would personally say Chrome is several years away from being enterprise ready - certainly for our enterprise.
I can't help you with group-policy, but each extension includes its update URL in manifest.json.
So, for the current version of adblock (id: gighmmpiobklfepjocnamgkkbiglidom):
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.14_0\manifest.json
Contains:
"update_url": "http://clients2.google.com/service/update2/crx"
The extension will query that URL for updates, as per the documentation.
We can therefore construct a URL that will return the update XML from the above URL (just change the ID as needed) - for adblock:
http://clients2.google.com/service/update2/crx?response=updatecheck&x=id%3Dgighmmpiobklfepjocnamgkkbiglidom%26uc
The XML that is returned reads:
<?xml version="1.0" encoding="UTF-8"?>
<gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod">
<daystart elapsed_seconds="49387"/>
<app appid="gighmmpiobklfepjocnamgkkbiglidom" status="ok">
<updatecheck codebase="http://clients2.googleusercontent.com/crx/download/OAAAAFpzXu4buuGNADfzIKiz34SLARZdBLiXQ2zo50sAlzoBpEz77foH-XT3yHpPureXtHcQSYU2z4ZNstiuKJi-LD8AxlKa5VgufvySdIb5b9U333P0upRk1YPb/extension_2_5_14.crx" hash="" size="529317" status="ok" version="2.5.14"/>
</app>
</gupdate>
We are interested in the codebase attribute of updatecheck, which provides us the direct URL to the latest CRX file.
Best Answer
All the settings currently available to you via Group Policy are listed on the Chromium site. You can block all extensions, then allow certain ones via a whitelist, but I don't see anything in there that does specifically what you want.
In terms of blocking access to extensions, they will have access to whatever the user running Chrome has access to. Since the extension can access the content after it has been downloaded by the browser, there is no way the server can control this access.
So your choices seem to be maintaining an approved list of extensions you aren't worried about, or making a custom version of Chrome (Chromium is Open Source) to distribute to users that includes the functionality you are looking for.
Reading the Chrome Extensions Developer Guide section on Content Scripts, particularly the sections on Execution Environment, Communication with the Embedding Page and Security Considerations, will give you a better understanding of how Chrome Extensions work, and may suggest where you have opportunities either working with Chromium, or customising extensions.
Or set up some sophisticated deep packet inspection firewall that can identify content you don't want to leak, which would have the additional benefit of covering all applications - but be rather expensive :-)