Hi Everyone!

Axel Rivera again from the IE Escalation team with another IE Enhanced security topic for your viewing pleasure!

UPDATE: I have tested the .bat file that will disable IE Enhanced Security for both Windows 2003 / Windows 2008  and 2012 TS Servers. The key is that you have to execute the files while logon with the problem user.  Basically, once your user have these setting on their profile, the only way to remove it is to either Delete the profile and let it re-create again from a fixed profile or execute the fix mention in this article.

In this Blog I would like to share a batch file I use to help disable IE Enhanced Security silently on Windows servers.  The challenge is that if you have multiple servers, removing it from server console is not practical and can require tremendous administrative overhead.

Please note:  This is the the same task can be achieved from the Windows Add Removed Programs User Interface on Windows 2003 server and From Windows 2008 Server Manager Console!

Cut and paste the lines below into notepad and save the file as "DisableIEES.bat".  This will create a simple batch which can be used to disable IEES (IE Enhanced Security) or download it  here!

::START

ECHO OFF
REM  IEHarden Removal Project
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003 and 2008(including R2)
REM  IEHarden Removal Project End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

:: Rem out if you like to Backup the registry keys
::REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg"
::REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg"

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f

::Removing line below as it is not needed for Windows 2003 scenarios. You may need to enable it for Windows 2008 scenarios
::Rundll32 iesetup.dll,IEHardenLMSettings
Rundll32 iesetup.dll,IEHardenUser
Rundll32 iesetup.dll,IEHardenAdmin
Rundll32 iesetup.dll,IEHardenMachineNow

::This apply to Windows 2003 Servers
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /f /va
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /f /va

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /t REG_DWORD /d 0 /f

::REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /f /va
::REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /f /va

:: Optional to remove warning on first IE Run and set home page to blank. remove the :: from lines below
:: 32-bit HKCU Keys
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "First Home Page" /f
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t REG_SZ /d "about:blank" /f
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "about:blank" /f
:: This will disable a warning the user may get regarding Protected Mode being disable for intranet, which is the default.
:: See article http://social.technet.microsoft.com/Forums/lv-LV/winserverTS/thread/34719084-5bdb-4590-9ebf-e190e8784ec7
:: Intranet Protected mode is disable. Warning should not appear and this key will disable the warning
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "NoProtectedModeBanner" /t REG_DWORD /d 1 /f

:: Removing Terminal Server Shadowing x86 32bit
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
::  Removing Terminal Server Shadowing Wow6432Node
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f

::END

 

Here is where you can set the login script in a policy:

> From Start\run type: gpedit.msc

> From User Configuration

   > Windows Settings

      > Scripts(logon\logoff)

         > Select Logon

            > Click on the Add... btn

            > Click on the Browse... bnt

            > Navigate to the directory where you have the file I sent you (EXE or BAT)

               [You can copy the file to the default Logon script directory: %windir%\system32\grouppolicy\user\scripts\logon]

            > Apply and OK btn to complete

> Close GPEdit.msc

> Start\run type: gpupdate /force to update the policy

> Login with a profile you know have the problem and see if this takes care of the problem.

More information:

There are two parts to turning off IE Enhanced Security.

We need to first identify the registry keys used to change the IE Enhanced Configuration Settings.

Here are the keys as a .reg export format:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]

"IsInstalled"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]

"IsInstalled"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

@=""

"IEHarden"=dword:00000000

"UNCAsIntranet"=dword:00000000

"AutoDetect"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents]

"iehardenadmin"=dword:00000000

"iehardenuser"=dword:00000000

Then, we use the rundll32.exe command to execute the IEHarden.inf with some parameters to help turn off , the Machine "IEHardenMachineNow", Administrator "IEHardenAdminand" and User "IEHardenUser" configuration.

Here is the command I use to turn off IE Maintenance using the IEHarden.inf file:

Rundll32 iesetup.dll,IEHardenUser

Rundll32 iesetup.dll,IEHardenAdmin

Rundll32 iesetup.dll,IEHardenMachineNow

After you execute the batch file from an existing user profile, you should consider logging out and login back in to make sure the changes take effect.  New users should now have IE Enhanced Security disabled.

 

Disabling IE Enhanced Security from Windows 2008 Server

To enable or disable IE ESC for all users that log on to the computer

  • Close Internet Explorer.
  • Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.
  • If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
  • Under Security Information, click Configure IE ESC.

Note: Server Manager opens with the same window that was in use when it was last closed. If you do not see the Security Information section, click Server Manager in the console tree.

  • To disable IE ESC, click Off under both Administrators and Users, and then click OK. [ If when you are viewing the Internet Settings you see that the Security Zones are still gray-out enable IE ESC again and Disable it to make sure these settings takes effect. Internet Explorer should be closed When making these changes ]

Note: If Internet Explorer is open when IE ESC is enabled or disabled, you must restart Internet Explorer for the IE ESC changes to become active.

 


Other Related Blog Post:

 

 

Regards,

The IE Support Team