Link to home
Create AccountLog in
Avatar of elorc
elorcFlag for United States of America

asked on

Windows 2008 IE ESC will not disable

Ok, so Internet Explorer Enhanced Security Configuration is a total pain. I've disabled it on my Windows 2008 server through Server Manager. I've checked and re-checked that it shows IE Enhanced Security Configuration is OFF for Users and OFF for Administrators. When logging in through Remote Desktop Connection 6.0, my test user still has IE ESC enabled. So I applied the GPO fix from this URL:

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#_Q2:_How_can

Added the ADM, went to Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Explorer Enhanced Security Configuration and set the value "Enhance Internet Explorer Security for User accounts on this machine" and "Enhance Internet Explorer Security for Admin accounts on this machine" both to DISABLED. The third option, "Group Policy users: click here and read explanation" I left as "Not Configured" since none of the instructions indicate changing this value (and its own explanation field seems to indicate that it's just a sort of readme to make sure that you set the filtering properly).

Forced a policy update with gpupdate. Rebooted the machine. Still nothing. What's the deal with this damn thing?
Avatar of Coolie Sheppard
Coolie Sheppard
Flag of United States of America image

Do an RSOP on the machine - there may be a conflict between two policies.
Avatar of elorc

ASKER

Chev_PCN: When I run RSOP on the computer, it shows under Extra Registry Settings that it's assigning a value of 0 to iehardenadmin and iehardenuser keys. I didn't see anything conflicting with that, but I did notice that the "Computer Configuration" node has a red "x" over its icon. I'm not sure if that means that something isn't loading right or what. So I went into Event Viewer and saw event 1058 under System:

The processing of Group Policy failed. Windows attempted to read the file \\my.domain.com\sysvol\my.domain.com\Policies\{C0A653CB-B55A-49A1-8BC0-4731169C8816}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

It seems to occur roughly every hour. I made the registry modification on the user in question per chepfam's recommendation. I don't know if that's what fixed it though, if the GPO isn't applying properly based on the above error message it's entirely possible that it's working now but will stop working again later.

Any ideas what's causing that error to show up?
Avatar of elorc

ASKER

I should mention that I don't see this same error popping up on any of my other servers.
Avatar of elorc

ASKER

Ok something's definitely wrong with the policies as they are being applied to this server. I set up a software hash restriction to block access to PowerShell, which was successfully blocking it on my test user yesterday. Now it's allowing me to launch it.

Very strange.
ASKER CERTIFIED SOLUTION
Avatar of Chev_PCN
Chev_PCN
Flag of South Africa image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account