Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5388
  • Last Modified:

IE 8 forces changes enhanced security configuration to permanent on for users, 2008 terminal server

I have upgraded a Server 2008 Terminal Server with Internet Explorer 8.

This enabled Encanced Security Configuration for regular users - prevously it was disabled.
I can disable it, but this has no effect, although set to disabled it remains on. This not the case for administrator accounts, where turning the feature on or off works correctly.

Hope someone has a fix for this.
0
Flemming50
Asked:
Flemming50
  • 3
  • 2
  • 2
  • +7
1 Solution
 
C-ShadowsEngineer - SupportCommented:
Is this machine, in network and in domain, does Group policy enabled ?
0
 
Flemming50Author Commented:
The machine is networked and in a domain.
There is one host machine, and four virtual servers on the machine. The terminal server is one of the virtual machines.
I have not touched any Group Policy on the machine or in the domain regarding Internet Explorer. I haev simply disabled the enhanced security on the machine for IE in the server manager. (As mentioned it works for administartors, but not for users and it was ok before the IE8 upgrade)
0
 
dvreedeCommented:
I have same problem on a W2003 Terminal server. I followed this document, but it is still not working ok.:

http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

New created profiles have no problems, but old users have many difficulties to view websites. Grrr Microsoft.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Flemming50Author Commented:
Dvreede - yes, I have seen others on the web note that new profiles are OK, and existing users not.
Those whoh have policies in GPO say that they have no effect and changes are ignored.

Obviously unpalatable and unacceptable to have to delete and re-create all profiles!
0
 
cudmoreCommented:
If you set these registry settings to "0" for each user it will free up the security settings so the user can adjust the internet security level in internet options from high to medium

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zonemap

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings

Hope this helps. It certainly sorted the issue out for our terminal servers users (using IE8 and Window Server 2003).
0
 
Jim_ARCommented:
Hi,

We are experiensing the same thing.  We run two terminal servers (on server 2003) with loadbalancing.. I upgraded one of the servers to IE8 and are unable to turn off the enhanced security configuration for my users.

Have tried to disable via add/remove windows components (wich worked with IE7), but no luck.

I haven't tried Cudmore's solution because we have to many users and it will be impractical.
Anyone else got an idea?
0
 
Jim_ARCommented:
Update:
This "error" will also affect users who roames between a terminalserver with ie7 and one with ie8.  The problem will propagate over to servers with IE7 also.

However:
http://www.brianmadden.com/forums/t/16982.aspx
Start REGEDIT on the terminal server and check the folllowing registry-setting:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
If you find this IEHarden-value to 1 ("IEHarden"=dword:00000001) then you should change it to 0 ("IEHarden"=dword:00000000)
After performing this on my servers i deleted my profile and logged back in again.  It worked.
So the problem i partially fixed.  The "dumb" thing is that you have to delete every users profile and recreate it.


0
 
Morne_IcasCommented:
Hi,

We run four terminal servers (server 2003) with load balancing across them. We applied IE8 across all the servers and are experiencing the same problems with none admin users. It will be impractical for us to have to delete every user profile from each of the Terminal servers and then recreate them.

Is there anybody that has a better solution to this problem? Why O why do Micrsoft do this to us?
0
 
cudmoreCommented:
I didn't worry about setting up new profiles... too hard and too many users.  I just setup the registry changes to run as part of the users logon scripts.

I ran this reg change from a good old fasion bat file (silently of course)...
----
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"IEHardenIENoWarn"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IEHarden"=dword:00000000
----

Not too much work really.
0
 
TeamMacleanCommented:
Hi,

It appears that I found practical solution to this issue. IEESC makes changes to the zones and sets security level to High for Internet zone. I've changed that in Computer Configuration>Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page>Internet Zone template to Medium level in Terminal Servers lock-down policy. Tested OK. All users can browse Internet with no probs. What is most important that proprietary application dependant in IE is working now!!! IEESC prompts disappeared. While it is not removing the fact that IEESC is still there- that provides quick fix fot those not lucky ones like me who installed IE8 on terminal servers and ran in a trouble. I also uninstalled IE8 and installed and reinstalled IEESC to no avail. Perfect solution would be to find that registry key responsible for enabling IEESC even if it is not there.

Good luck Everyone,

Eugene Roukchan, Maclean Computing, Auckland, New Zealand.
0
 
kibatsuCommented:
The script in following article should resolve the problem, it calls the installer to forcibly remove Enhanced Security for all users. Tested okay on a 2003 Terminal Server just now, however it should work on 2008 with no problems also.

http://blogs.msdn.com/askie/archive/2009/06/23/how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx

NB, the script below removes the IEHarden registry entry for HKEY_CURRENT_USER - I found we didn't need to do this, as the entry didn't exist, but we were still having the problem anyway. See attached for the script which which fixed the problem for us.

P.S. the related Microsoft KB article for this is: http://support.microsoft.com/kb/933991. From reading the article I get the impression they're not exactly sure under what situations this problem occurs. We've certainly installed IE8 on many terminal servers without experiencing the problem.
::Ensure IE Enhanced Security registry keys exist
 
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
 
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
 
::Forcibly uninstall IE Enhanced Security from Add/Remove Programs
 
Rundll32 iesetup.dll,IEHardenUser
 
Rundll32 iesetup.dll,IEHardenAdmin
 
Rundll32 iesetup.dll,IEHardenMachineNow
 
::Delete registry values for Enhanced Security
 
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /f /va
 
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /f /va

Open in new window

0
 
waynehedrickCommented:
TeamMacleon has it figured out.  

IE 8 was needed for Exchange OWA calendars, but destroyed ESC.

Manually setting the levels in GPEDIT solved the problem.

Note:  IE8 doesn't seem to fully install on the Terminal Server.  The Registry IE Version settings for IE 8 are not updated at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073} and related keys.  It lists:  7,0,6001,18000

It should be:  8.0.6001.18813

I'll bet this is at the core of the problem.    Regardless, thanks to TeamMacleod for finding a solution.  
0
 
Flemming50Author Commented:
Best solution found
0
 
renreCommented:
Thanks so much, TeamMaclean! You made me look like the "QUEEN OF I.T." today!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
  • 2
  • +7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now