Best practice to disable execution of a specific file type (for example: .js) for all hosts in an AD domain?

Reading through this [recent reverse engineering breakdown](https://www.reddit.com/r/blueteamsec/comments/w3ltu3/analysis_of_a_trojanized_jquery_script_gootloader/?utm_source=share&utm_medium=ios_app&utm_name=iossmf) on a JavaScript based loader for a PowerShell / .NET loader, I realized the whole attack hinged on the user clicking a .js file downloaded outside of the browser.

It seems [pretty trivial](https://www.computerworld.com/article/3090146/blocking-javascript-can-stop-some-windows-malware.amp.html) to disable this horrible default on-click execution behavior in Windows through the GUI (and seems doable at scale in PowerShell) by changing the associated application.

My question is: Is just setting the default application to Notepad probably sufficient? Or is …

ad best practice cybersecurity domain js practice