IE 8 forces changes enhanced security configuration to permanent on for users, 2008 terminal server

Posted on 2009-04-18
Last Modified: 2013-12-08
I have upgraded a Server 2008 Terminal Server with Internet Explorer 8.

This enabled Encanced Security Configuration for regular users - prevously it was disabled.
I can disable it, but this has no effect, although set to disabled it remains on. This not the case for administrator accounts, where turning the feature on or off works correctly.

Hope someone has a fix for this.
Question by:Flemming50
    LVL 7

    Expert Comment

    Is this machine, in network and in domain, does Group policy enabled ?

    Author Comment

    The machine is networked and in a domain.
    There is one host machine, and four virtual servers on the machine. The terminal server is one of the virtual machines.
    I have not touched any Group Policy on the machine or in the domain regarding Internet Explorer. I haev simply disabled the enhanced security on the machine for IE in the server manager. (As mentioned it works for administartors, but not for users and it was ok before the IE8 upgrade)

    Expert Comment

    I have same problem on a W2003 Terminal server. I followed this document, but it is still not working ok.:

    New created profiles have no problems, but old users have many difficulties to view websites. Grrr Microsoft.

    Author Comment

    Dvreede - yes, I have seen others on the web note that new profiles are OK, and existing users not.
    Those whoh have policies in GPO say that they have no effect and changes are ignored.

    Obviously unpalatable and unacceptable to have to delete and re-create all profiles!

    Expert Comment

    If you set these registry settings to "0" for each user it will free up the security settings so the user can adjust the internet security level in internet options from high to medium



    Hope this helps. It certainly sorted the issue out for our terminal servers users (using IE8 and Window Server 2003).

    Expert Comment


    We are experiensing the same thing.  We run two terminal servers (on server 2003) with loadbalancing.. I upgraded one of the servers to IE8 and are unable to turn off the enhanced security configuration for my users.

    Have tried to disable via add/remove windows components (wich worked with IE7), but no luck.

    I haven't tried Cudmore's solution because we have to many users and it will be impractical.
    Anyone else got an idea?

    Expert Comment

    This "error" will also affect users who roames between a terminalserver with ie7 and one with ie8.  The problem will propagate over to servers with IE7 also.

    Start REGEDIT on the terminal server and check the folllowing registry-setting:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
    If you find this IEHarden-value to 1 ("IEHarden"=dword:00000001) then you should change it to 0 ("IEHarden"=dword:00000000)
    After performing this on my servers i deleted my profile and logged back in again.  It worked.
    So the problem i partially fixed.  The "dumb" thing is that you have to delete every users profile and recreate it.


    Expert Comment


    We run four terminal servers (server 2003) with load balancing across them. We applied IE8 across all the servers and are experiencing the same problems with none admin users. It will be impractical for us to have to delete every user profile from each of the Terminal servers and then recreate them.

    Is there anybody that has a better solution to this problem? Why O why do Micrsoft do this to us?

    Expert Comment

    I didn't worry about setting up new profiles... too hard and too many users.  I just setup the registry changes to run as part of the users logon scripts.

    I ran this reg change from a good old fasion bat file (silently of course)...
    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

    Not too much work really.
    LVL 1

    Accepted Solution


    It appears that I found practical solution to this issue. IEESC makes changes to the zones and sets security level to High for Internet zone. I've changed that in Computer Configuration>Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page>Internet Zone template to Medium level in Terminal Servers lock-down policy. Tested OK. All users can browse Internet with no probs. What is most important that proprietary application dependant in IE is working now!!! IEESC prompts disappeared. While it is not removing the fact that IEESC is still there- that provides quick fix fot those not lucky ones like me who installed IE8 on terminal servers and ran in a trouble. I also uninstalled IE8 and installed and reinstalled IEESC to no avail. Perfect solution would be to find that registry key responsible for enabling IEESC even if it is not there.

    Good luck Everyone,

    Eugene Roukchan, Maclean Computing, Auckland, New Zealand.
    LVL 2

    Expert Comment

    The script in following article should resolve the problem, it calls the installer to forcibly remove Enhanced Security for all users. Tested okay on a 2003 Terminal Server just now, however it should work on 2008 with no problems also.

    NB, the script below removes the IEHarden registry entry for HKEY_CURRENT_USER - I found we didn't need to do this, as the entry didn't exist, but we were still having the problem anyway. See attached for the script which which fixed the problem for us.

    P.S. the related Microsoft KB article for this is: From reading the article I get the impression they're not exactly sure under what situations this problem occurs. We've certainly installed IE8 on many terminal servers without experiencing the problem.
    ::Ensure IE Enhanced Security registry keys exist
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
    ::Forcibly uninstall IE Enhanced Security from Add/Remove Programs
    Rundll32 iesetup.dll,IEHardenUser
    Rundll32 iesetup.dll,IEHardenAdmin
    Rundll32 iesetup.dll,IEHardenMachineNow
    ::Delete registry values for Enhanced Security
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /f /va
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /f /va

    Open in new window


    Expert Comment

    TeamMacleon has it figured out.  

    IE 8 was needed for Exchange OWA calendars, but destroyed ESC.

    Manually setting the levels in GPEDIT solved the problem.

    Note:  IE8 doesn't seem to fully install on the Terminal Server.  The Registry IE Version settings for IE 8 are not updated at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073} and related keys.  It lists:  7,0,6001,18000

    It should be:  8.0.6001.18813

    I'll bet this is at the core of the problem.    Regardless, thanks to TeamMacleod for finding a solution.  

    Author Closing Comment

    Best solution found

    Expert Comment

    Thanks so much, TeamMaclean! You made me look like the "QUEEN OF I.T." today!

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Suggested Solutions

    Bada platform is becoming more and more famous this days and people talking about same. Some friends included those who have bada OS mobile asked me "what is bada?"and "what its features?". That encouraged me to research and write this article. [st…
    Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
    This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now