Hi,
I am sharing an .exe that will help you disable IE Enhanced Securiy on Windows 2008 or Windows 2003 TS Servers.
Microsoft article 933991 outlines some of the known issues around IE Enhanced Security in Terminal Servers, but it does not provide you the Fix/Solution when dealing with an AD Environment. Here I will show you how you could potentially affect both New users as well as Existing users.
When you logon as regular user, you discovered that you cannot manage the IE Security Settings. Basically, the option to add Trusted Sites is gray out or a pre-defined group policy appears that it is not getting apply.
This is because IE Enhanced Security was turned on and tattooed the users profile.
We also know that this is an old issue that has carry over new Windows Servers, where IE Enhanced Security even when you have disable it from the UI, it does not properly update the registry until you go back and enable and then disable it again. This action, will only affect the new users and existing users will still have the entries on their profiles/registry.
I have written a bat file and an exe that will fix the problem profile. You will have to execute the bat or .exe while logon with the user account in order to affect the user profile. So, to fix this particular scenario, you would want to first, fix the .default profile by creating a new local user account. Fix this account with the .bat or .exe file that will add the entries below and then, copy this new profile to the .default profile.
To affect existing users, you can use the .exe or .bat as a logon script.
This is the best way you can affect everyone.
Download the .exeIEHarden_Disable.
Basically, I am running a fix.reg with following keys:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
“IsInstalled”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
“IsInstalled”=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
@=”"
“IEHarden”=dword:00000000
“UNCAsIntranet”=dword:00000000
“AutoDetect”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents]
“iehardenadmin”=dword:00000000
“iehardenuser”=dword:00000000
From the .exe, I have a bat that will execute the following Command:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
regedit /s fix.reg
Rundll32 iesetup.dll,IEHardenUser
Rundll32 iesetup.dll,IEHardenAdmin
Rundll32 iesetup.dll,IEHardenMachineNow
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
:: If required, backup the registry keys
:: This is always a good idea before making registry changes
REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg”
REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg”
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /f /va
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /f /va
933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
Profile Article:
http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx
Known issue with Windows 2008 and Profile Creation:
The documents you may find out there may not properly cover the profile creation for windows 2008 or Vista, so we have to use the steps below.
If we select the “C:\Users\Default” as the path in Step 7-e of this article, It wipes all the Data from the Directory (After giving a Warning of course).
When a new user logs on, it picks up the custom profile from “C:\Users\Default”.
The side effect of this workaround is, as all the data is lost from the “C:\Users\Default” it also causes the junction points to be removed.
Note that in Windows Server 2008 and Windows Vista, there are junction points associated for the profile folders.
http://msdn.microsoft.com/en-us/library/bb968829(VS.85).aspx
http://www.svrops.com/svrops/articles/jpoints.htm
There might be an application which has dependencies with these junction points. So below is the valid solution for this.
Solution
The following TechNet article talks about the valid steps to customize the default user profile.
Managing Roaming User Data Deployment Guide (Section : Create a Default Network User Profile)
http://technet.microsoft.com/en-us/library/cc766489.aspx
Creating the new profile:
1) Log on to a computer running Windows 2008 with any domain user account. Do not use a domain administrator account.
2) Configure user settings such as connection settings, zone settings whatever is it you want this profile to have. Run the IE Enhanced Security .exe or .bat file to get this profile get the IE Enhanced settings (Turn off). Log off the computer. MAKE SURE YOU TEST THIS NEW USER PROFILE!!! Log out and log back in and doublecheck your settings to make sure this is what you want/need. then move to next steps.
3) Log on to the computer used in step 1 with a domain administrator account.
4) Click Start, right-click Computer, and then click Properties.
5) Click Start, right-click Computer, and then click Properties.
6) Click Advanced System Settings. Under User Profiles, click Settings.
7) The User Profiles dialog box shows a list of profiles stored on the computer. Click the name of the user you used in step 1. Click Copy To.
8) In the Copy To dialog box, click on Browse button and find path to the Windows default user folder.
9) In Permitted to use, click Change. Type the name Everyone ,and then click OK.
10) Click OK to commit the changes.
NOTE: You can copy the working profile to your Sysvol netlogon share if you like to affect everyone on your domain. Windows will use the local default profile when it cannot locate a default network profile.
It may be favorable to perform these steps during off-peak hours, if you are using a production environment. A default network profile is optional.
You can also use the .exe as a logon script, but this will be executed every time the user log on to your network and it is not the best case scenario.
Download:
You can download the zip file that contains the .exe from here.
Have fun,
Cheli