I am using RB 1200. Ether 0 connect to web server, ether 1 connect to LAN. The web server has "upload" menu. sometimes I need to drop uploading certain file extension (such as exe, etc) from the visitors. Can anyone recommend good firewall setting to do this job?

enable transparent web proxy in routeros
you can block downloading by file types using following code:

/ip proxy access add path=*.mp3 action=deny

thanks for reply, but I need to drop uploading not downloading.

my bad,
one method would be to capture some packets from an user initiating an upload of a forbidden file, then analyze them and determine a pattern, with this pattern generate a l7 filter.
but l7 is resource intensive
and it would not work if the connection is https (i don't know if it's possible to upload files via https).

I am using MB1200