I'll look into this.

Under policy settings, "Default plugings settings" the options are:
  A. Allow all sites to automatically run plugins
  B. Block all plugins
  C. Click to play

Under chrome://settings/content, the options under "Plugins" are:
  1. Run all plugin content
  2. Detect and run important plugin content (recommended)
  3. Let me choose when to run plugin content

The mappings are A => 1, {B,C} => 3

Meanwhile, under chrome://plugins there's also "Always allowed to run".
  - If "Disable": Flash vanishes regardless of {A,B,C}.
  - If unchecked: Flash box appears, {A,B,C} work as:
    A => Plays.
    B => "Adobe Flash Player is not allowed"
    C => "Right-click to play Adobe Flash Player"
  - If checked: Flash box appears, {A,B,C} work as:
    A => Plays.
    B => "Adobe Flash Player is not allowed"
    C => Plays.  [PROBLEM IS HERE]

I agree with #5

I was thinking make policy C "Click to play" force-disable and grey out the checkbox "Always allowed to run" and make it force disabled. I don't think this has any unwanted side effects.

If you want I can land this code, since I made some changes to this recently anyway.

wfh@: Okay, I'm assigning the bug to you.  Thanks!

Issue 625783 has been merged into this issue.

Any chance you can make this change soonish so that it ends up in the next release? Maybe even propose it for merging into 53 if this is considered critical enough.

Obviously the fixit is now over so it won't make it for it :)

Sure, I can do this now*.

* by some loose definition of now.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9610a5e34ea06ea1c9067f72224a62658620108c

commit 9610a5e34ea06ea1c9067f72224a62658620108c
Author: wfh <wfh@chromium.org>
Date: Tue Jul 19 02:58:21 2016

Disallow user overrides to enterprise policy for plugins.

This CL changes the code in two places:

Firstly, in the actual plugin loading logic, in
PluginInfoMessageFilter::Context::GetPluginContentSetting
there was previously an exception for CONTENT_SETTING_ASK
which meant that it could override enterprise policy.

Secondly, in the UI, this disables the tick box to "Always
allowed to run" on chrome://plugins when enterprise policy
is CONTENT_SETTING_ASK (3).

BUG= 616218 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2150323003
Cr-Commit-Position: refs/heads/master@{#406197}

[modify] https://crrev.com/9610a5e34ea06ea1c9067f72224a62658620108c/chrome/browser/plugins/plugin_info_message_filter.cc
[modify] https://crrev.com/9610a5e34ea06ea1c9067f72224a62658620108c/chrome/browser/resources/plugins.html
[modify] https://crrev.com/9610a5e34ea06ea1c9067f72224a62658620108c/chrome/browser/resources/plugins.js
[add] https://crrev.com/9610a5e34ea06ea1c9067f72224a62658620108c/chrome/browser/ui/webui/plugins/OWNERS
[modify] https://crrev.com/9610a5e34ea06ea1c9067f72224a62658620108c/chrome/browser/ui/webui/plugins/plugins.mojom
[modify] https://crrev.com/9610a5e34ea06ea1c9067f72224a62658620108c/chrome/browser/ui/webui/plugins/plugins_handler.cc
[modify] https://crrev.com/9610a5e34ea06ea1c9067f72224a62658620108c/chrome/browser/ui/webui/plugins/plugins_handler.h

Should the status be changed to Fixed?

think so. was never verified by TE so hopefully setting this to fixed will trigger that.

this was in 54.0.2801.0 so can be verified in beta 54.0.2840.27