Hi,

I am sharing an .exe that will help you disable IE Enhanced Securiy on Windows 2008 or Windows 2003 TS Servers.

Microsoft article  933991 outlines some of the known issues around IE Enhanced Security in Terminal Servers, but it does not provide you the Fix/Solution when dealing with an AD Environment. Here I will show you how you could potentially affect both New users as well as Existing users.

The Scenario:

When you logon as regular user, you discovered that you cannot manage the IE Security Settings. Basically, the option to add Trusted Sites is gray out or a pre-defined group policy appears that it is not getting apply.

Cause:

This is because IE Enhanced Security was turned on and tattooed the users profile.

We also know that this is an old issue that has carry over new Windows Servers, where IE Enhanced Security even when you have disable it from the UI, it does not properly update the registry until you go back and enable and then disable it again. This action, will only affect the new users and existing users will still have the entries on their profiles/registry.

Resolution:

I have written a bat file and an exe that will fix the problem profile. You will have to execute the bat or .exe while logon with the user account in order to affect the user profile. So, to fix this particular scenario, you would want to first, fix the .default profile by creating a new local user account. Fix this account with the .bat or .exe file that will add the entries below and then, copy this new profile to the .default profile.

To affect existing users, you can use the .exe or .bat as a logon script.

This is the best way you can affect everyone.

Download the .exeIEHarden_Disable.

 

Keys the .exe will affect:

Basically, I am running a fix.reg with following keys:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]

“IsInstalled”=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]

“IsInstalled”=-

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

@=”"

“IEHarden”=dword:00000000

“UNCAsIntranet”=dword:00000000

“AutoDetect”=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents]

“iehardenadmin”=dword:00000000

“iehardenuser”=dword:00000000

 

From the .exe, I have a bat that will execute the following Command:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

regedit /s fix.reg

Rundll32 iesetup.dll,IEHardenUser

Rundll32 iesetup.dll,IEHardenAdmin

Rundll32 iesetup.dll,IEHardenMachineNow

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Here is a .BAT file that will execute the same function outline above, but using reg.exe.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

::Related Article

::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server

::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

 

:: If required, backup the registry keys

:: This is always a good idea before making registry changes

REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg”

REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg”

 

REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f

REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f

 

Rundll32 iesetup.dll, IEHardenLMSettings

Rundll32 iesetup.dll, IEHardenUser

Rundll32 iesetup.dll, IEHardenAdmin

 

REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /f /va

REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /f /va

 

 


Related Article

933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server

http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

Profile Article: 

http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx

Known issue with Windows 2008 and Profile Creation:

The documents you may find out there may not properly cover the profile creation for windows 2008 or Vista, so we have to use the steps below.

If we select the “C:\Users\Default” as the path in Step 7-e of this article, It wipes all the Data from the Directory (After giving a Warning of course).
When a new user logs on, it picks up the custom profile from “C:\Users\Default”.
The side effect of this workaround is, as all the data is lost from the “C:\Users\Default” it also causes the junction points to be removed.

Note that in Windows Server 2008 and Windows Vista, there are junction points associated for the profile folders.

http://msdn.microsoft.com/en-us/library/bb968829(VS.85).aspx
http://www.svrops.com/svrops/articles/jpoints.htm

There might be an application which has dependencies with these junction points. So below is the valid solution for this.

Solution

The following TechNet article talks about the valid steps to customize the default user profile.

Managing Roaming User Data Deployment Guide (Section : Create a Default Network User Profile)
http://technet.microsoft.com/en-us/library/cc766489.aspx

Creating the new profile:

1)       Log on to a computer running Windows 2008 with any domain user account. Do not use a domain administrator account.

2)      Configure user settings such as connection settings, zone settings whatever is it you want this profile to have. Run the IE Enhanced Security .exe or .bat file to get this profile get the IE Enhanced settings (Turn off). Log off the computer. MAKE SURE YOU TEST THIS NEW USER PROFILE!!!  Log out and log back in and doublecheck your settings to make sure this is what you want/need. then move to next steps.

3)      Log on to the computer used in step 1 with a domain administrator account.

4)      Click Start, right-click Computer, and then click Properties.

5)       Click Start, right-click Computer, and then click Properties.

6)      Click Advanced System Settings. Under User Profiles, click Settings.

7)       The User Profiles dialog box shows a list of profiles stored on the computer. Click the name of the user you used in step 1. Click Copy To.

8)      In the Copy To dialog box, click on Browse button and find path to the Windows default user folder.

9)      In Permitted to use, click Change. Type the name Everyone ,and then click OK.

10)    Click OK to commit the changes.

NOTE:  You can copy the working profile to your Sysvol netlogon share if you like to affect everyone on your domain. Windows will use the local default profile when it cannot locate a default network profile.

                  It may be favorable to perform these steps during off-peak hours, if you are using a production environment. A default network profile is optional.

                  You can also use the .exe as a logon script, but this will be executed every time the user log on to your network and it is not the best case scenario.

 

Download:

You can download the zip file that contains the .exe from here.

 

Have fun,

Cheli

3 Responses to How to disable IE Enhance Security on Windows 2008 and Windows 2003

  • Dominoic says:

    This is a silly bug that has been around for ever and caused many wasted hours.

    This is one of those things that makes you go hmmmmm! what is worse the fact that the feature is turned off 99% of the time and it does not work as it should or the folks the feature is trying to protect you from…

    Thanks for the automation post.. You guys rock!!!!

  • Jamie says:

    This also caused me a lot of wasted hours… Thanks so much for the solution.

  • xelo says:

    Good to hear

Leave a Reply