Disable IE Protected Mode on Windows (Terminal) Server 2008.

We need to have Internet Explorer 8 to be in Protected Mode for almost all users on our Windows 2008 Terminal Server.   But a few users will need to run JAVA scripts on their terminal sessions so they need to have their IE8 security set to allow Active Scripting and Scripting of JAVA applets.   This server is not a domain controller or member of any domain.

Is there a way to disable IE8 Protected Mode for just a few users on our 40 user terminal server?
The Local security policy has the option Turn Off Protected Mode with a Not Configured state which is supposed to allow users to manually turn this security feature off.

I have also tried setting the individual terminal server user accounts as system administrators to see if that would help (it doesn't).
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
If you were in a domain you could but since you are not in the domain I don't think there is a way to security filter these items or gpos out.
NetTokenAuthor Commented:
Ok, then, maybe the shotgun approach will work - where everyone has the ability to manually turn off Protected Mode in their IE8 Tools -> Internet Options -> Security, but it will be turned on by default.  I think that would work because most of our users wouldn't know how to get there.

I tried doing this in MMC \Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security...  But either I don't know how or this change can't be done with users logged into the terminal server.

Right now the option is greyed out for everyone but the system administrator.  When logged in as administrator, I can either turn off Protected Mode or modify the security options for the Internet Zone.  I would like the same ability for all 40 user accounts on the terminal server.

A little guidance/advice here would be greatly appreciated.  

Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

NetTokenAuthor Commented:
Thanks for the link Dariusq,
I believe that the Windows 2008 terminal server is having a problem with the local security policy.  When I go into the MMC \Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security settings and set the option for protected mode off, the change does not affect the terminal server's client accounts.  Everyone but the Administrator user has the option greyed out.

However, I found a link http://www.mydigitallife.info/2007/05/26/temporarily-disable-ie7-protected-mode-in-vista-on-ad-hoc-basis/  which describes a way to temporarily disable IE7 protected mode by using a run-as administrator function.  I tried this and it works!  I setup a new user named WebAdmin, joined it to the administrator group and was able to use that user name and password in order  to access the Protected Mode security settings and disable it.

Now I would like to see if a batch file can be created which has the commands that would do this.   I want to automate the process so that the user doesn't have to know the password for an administrator account on the Terminal Server.

My goal is to give her an Icon to launch IE8 with administrative privileges without having them enter a password.  

Can you help me with this or do I need to post it as a new question in a different group?
Darius GhassemCommented:
Try disabling UAC.
Darius GhassemCommented:
Then look at the GPO to see if you can edit. Or check to see if you can make the change without the Run as Admin option.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NetTokenAuthor Commented:
It looks like I can't use a batch command file because the runas command doesn't have a switch to handle passwords.

I'm going to try disabling the UAC tonight when everyone is off the terminal server.

NetTokenAuthor Commented:

It turns out that the local security policy on this Terminal Server is malfunctioning.  I did a test on our other two Terminal Servers and they operate correctly when setting the security option for protected mode on/off/disable.  No doubt I will be on the phone with Microsoft support for a while.

I'm going to award the 500 points to Dariusq for his assistance..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.