Hi Everyone!
Axel Rivera again from the IE Escalation team with another IE Enhanced security topic for your viewing pleasure!
UPDATE: I have tested the .exe and .bat file that will disable IE Enhanced Security for both Windows 2003 and Windows 2008 TS Servers. The key is that you have to execute the files while logon with the problem user. Basically, once your user have these setting on their profile, the only way to remove it is to either Delete the profile and let it re-create again from a fixed profile or execute the fix mention in this article.
In this Blog I would like to share a batch file I use to help disable IE Enhanced Security silently on Windows 2003 servers. The challenge is that if you have multiple servers, removing it from server console is not practical and can require tremendous administrative overhead.
Please note: This is the the same task can be achieved from the Windows Add Removed Programs User Interface.
Cut and paste the lines below into notepad and save the file as "DisableIEES.bat". This will create a simple batch which can be used to disable IEES (IE Enhanced Security):
:: START
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
:: This will add the entry, as some cases we have seeing that the value is not even there, causing other problems. so, we just add it and later delete it
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
::Removing IE Enhanced Security from System
Rundll32 iesetup.dll,IEHardenUser
Rundll32 iesetup.dll,IEHardenAdmin
Rundll32 iesetup.dll,IEHardenMachineNow
:: Disabling IEHarden for user
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /V "IEHarden" /t REG_DWORD /d 0 /f
:: Removes form Add Remove Components
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /t REG_DWORD /d 0 /f
::Removed the Values from the IEHarden installed components key
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /f /va
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /f /va
::END
Here is where you can set the login script in a policy:
> From Start\run type: gpedit.msc
> From User Configuration
> Windows Settings
> Scripts(logon\logoff)
> Select Logon
> Click on the Add... btn
> Click on the Browse... bnt
> Navigate to the directory where you have the file I sent you (EXE or BAT)
[You can copy the file to the default Logon script directory: %windir%\system32\grouppolicy\user\scripts\logon]
> Apply and OK btn to complete
> Close GPEdit.msc
> Start\run type: gpupdate /force to update the policy
> Login with a profile you know have the problem and see if this takes care of the problem.
More information:
There are two parts to turning off IE Enhanced Security.
We need to first identify the registry keys used to change the IE Enhanced Configuration Settings.
Here are the keys as a .reg export format:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
@=""
"IEHarden"=dword:00000000
"UNCAsIntranet"=dword:00000000
"AutoDetect"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents]
"iehardenadmin"=dword:00000000
"iehardenuser"=dword:00000000
Then, we use the rundll32.exe command to execute the IEHarden.inf with some parameters to help turn off , the Machine "IEHardenMachineNow", Administrator "IEHardenAdminand" and User "IEHardenUser" configuration.
Here is the command I use to turn off IE Maintenance using the IEHarden.inf file:
After you execute the batch file from an existing user profile, you should consider logging out and login back in to make sure the changes take effect. New users should now have IE Enhanced Security disabled.
You can download an executable that will perform the change for you.
Regards,
The IE Support Team