Internet Explorer Enhanced Security Configuration

Posted on 2003-11-20
Last Modified: 2008-01-09

2x Windows 2000 domain controllers
3x Windows 2000 Advanced Server's running Terminal Services
2x Windows 2003 Server Enterprise Edition servers running Terminal Services
1x Windows 2000 Server running IIS for web hosting

One of the applications used through terminal services is a web based application that uses some Java script. This program runs fine when logging onto a 2k Apps server, but when you logon to the new 2003 servers the application gives the following error message when launching IE:

"Content within this application coming from the website listed below is being blocked by Internet Explorer Enhanced Security Configuration. If you trust this web-site you can lower your security configurations . . . .etc."

Users are then prompted to add this site to thier trusted sites zone to be able to procede. Once added the problem goes away for this user.

The problem is, there are thousands of users and we need this software to work seemlessly without any security pop-ups like this. I have gone into Windows components and un-installed the Internet Explorer Enhanced Security Configuration but this has made no difference. I have configured the domain policy to add the site in question to the trusted sites zone for all users, but this policy just doesn't seem to implement when users log on. They still get the same error message and the only sites in the trusted zones listing are MS windows update sites.

The software we use must use IE as the browser. The browser software is only a small part of the whole package and so bandwidth/load to the IIS box is not in question. The rest of the software package (written in VB mainly) runs fine on the 2003 servers. The Apps servers use MS load balancing for TS logon's and are all high spec servers on a 100Mbps / 1Gbps LAN.

Is there anyway I can disable/switch off the IE Enhanced Security Configuration without having to deploy IEAK or something?

Cheers in advance.
Question by:pah250
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1

Expert Comment

ID: 9788023
The solution i'm thinking of would require you to use group policy to either add the sites to the trusted sites list ( In group policy User Configuration\Windows Settings\Internet Explorer Maintenance\Security) You would then either adjust the security settings accordingly or add the appropriate sites to the trusted sites list.

This also depends on how your AD is setup.

Hope this gives you an idea.


Author Comment

ID: 9788480
Tried this. Everytime I click to edit the Security Zones and Privacy I get a long winded warning message that says "You have chosen to import settings that are compatible with computers that don't have IE Enhanced Security Configuration enabled. These security settings wil be ignored on machines where the enhanced security configuration is enabled" .I have dissabled the Enhanced Security Configuration on all the 2003 boxes and configured this policy for the domain, but it has no effect.

Expert Comment

ID: 9790752
What service pack are you running on the 2000 domain controllers?
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.


Author Comment

ID: 9800768
All the 2K servers are SP4

I've managed to sort it though now. There is a registry key in HKCU that stores all the security information and website entries for all 4 security zones in IE. Just needed to export the key to file and add it into the common logon script for all users - job done.

Accepted Solution

Lunchy earned 0 total points
ID: 10084034
PAQed, with points refunded (250)

Friendly Neighbourhood Community Support Admin

Expert Comment

ID: 12107409
pah250:  Can you post the registry key that was necessary?  The settings in the HKCU\Software\Internet Explorer\Security key don't seem to cut it.

Author Comment

ID: 12111895
The solution that we use to get around this is to first create a new user with domain admin rights and log on to the windows 2003 terminal server. Then use IE to add in all the internal websites that domain users will need to access in the course of thise normal life (users are restricted a a pre-set list of internal websites only). Then export the following hive and all sub hives:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

Then we add this registry file into the logon scripts for all domain users giving each user trusted access to our predefined list of internal web sites. Problem solved.

Expert Comment

ID: 12112913
Ah, OK.  I thought it was a solution to enabling web access to any websites.  What you've got here you can also do in group policies, but sometimes the good ol' reg file works just as well.

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question