• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2015
  • Last Modified:

Group Policy to Disable IE Enhanced Security on Server 2008

I have a lab with a number of 2008R2 member servers in a 2008R2 Domain.
I am trying to find a group policy setting to switch off IE Enhanced Security but cannot find the option

Does the option exist?
0
KCTS
Asked:
KCTS
2 Solutions
 
antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->Commented:
0
 
arnoldCommented:
Enhanced security is a windows add-on which you could enforce through setting it for regular users while exempting administrative.
Win2k3 white paper on the matter to manage via GPO:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=15013
I've not gone through the document, but thing the way it manages it is by defining within the GPO trusted sites which would be exempt from/bypass the enhanced security setting.
user configuration\Administrative templates\windows components\internet Explorer\Internet control panel\security page\
trusted site, etc.
Per user
or
http://social.technet.microsoft.com/forums/en-US/winserverGP/thread/14aa9d58-0e06-4236-b92c-ca770a464073 that includes a link to http://www.gpanswers.com/community/viewtopic.php?p=7868 as well as a post following this comment/link that deals with downloading an ADM file to to do what you want.
http://www.microsoft.com/download/en/details.aspx?id=18664
http://www.microsoft.com/download/en/search.aspx?q=ADM%20templates

http://technet.microsoft.com/en-us/library/cc780445%28WS.10%29.aspx
http://support.microsoft.com/kb/815141
http://technet.microsoft.com/en-us/library/cc728150%28WS.10%29.aspx

This is for windows 2008 by MS that covers the initial guide on adding sites to specific zones, which you might not want to do if you have many
http://technet.microsoft.com/en-us/library/dd883248%28WS.10%29.aspx

i was unable to locate a quick command line option that would uninstall/deselect this feature.
0
 
Mohammed RahmanCommented:
In Windows Server 2008, this doesn’t work anymore. You have to click on the root folder in Server Manager. Then you scroll down to the Security Information Section and click “Configure IE ESC”. You can turn off IE ESC for Administrators and/or for users.
 IE Enhanced Security
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
KCTSAuthor Commented:
I know how to turn it off on a single server - but I have around 50 member servers (used for training and app development), on which I need to switch this off - surely there has to be a better way than doining it machine bu machine
0
 
arnoldCommented:
http://support.microsoft.com/kb/222444
sysocmgr.exe used to work, as http://www.itedge.net/blog/2007/08/08/disable-ie7-protected-mode-on-windows-server-2008/ not sure if it is still present in win2k8.

http://www.networknet.nl/apps/wp/archives/874
Try the command line on one.
If it works, you can push this as a startup directive on the OU to which these servers belong. To avoid having it run, you may want to have a check whether enhanced security is enabled.
http://www.vbsedit.com/scripts/desktop/ie/scr_258.asp
0
 
mkuehngoeCommented:
you can script it (using GPO or GPO preferences) like this:
You need two reg files, one for users, one for admins

ADMIN (iehardadmin.reg)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000
@="Applying Enhanced Security Configuration"
"Version"="7,0,6001,18000"
"ComponentID"="IEHardenUser"
"LocalizedName"="@C:\\Windows\\System32\\iesetup.dll,-3011"
"StubPath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,\
  00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,\
  69,00,65,00,73,00,65,00,74,00,75,00,70,00,2e,00,64,00,6c,00,6c,00,2c,00,49,\
  00,45,00,48,00,61,00,72,00,64,00,65,00,6e,00,55,00,73,00,65,00,72,00,00,00
"Dontask"=dword:00000002
"Locale"="en"

USER (ieharduser.reg)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000
@="Applying Enhanced Security Configuration"
"Version"="7,0,6001,18000"
"ComponentID"="IEHardenAdmin"
"LocalizedName"="@C:\\Windows\\System32\\iesetup.dll,-3010"
"StubPath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,\
  00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,\
  69,00,65,00,73,00,65,00,74,00,75,00,70,00,2e,00,64,00,6c,00,6c,00,2c,00,49,\
  00,45,00,48,00,61,00,72,00,64,00,65,00,6e,00,41,00,64,00,6d,00,69,00,6e,00,\
  00,00
"Dontask"=dword:00000002
"Locale"="en"

and finally this cmd
Regedit /s ieharduser.reg
Regedit /s iehardadmin.reg
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin
0
 
IntrepidITCommented:
To do so, you can Download the adm file from the following link and import it to the GPO.

http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

 

Here are the detailed steps:

 

    1. Create a new GPO or use an existing GPO to configure the Internet Explorer Enhanced Security setting.
    2. Right-click a GPO and select Edit.
    3. Expand Computer Configuration\Policies, right-click Administrative Templates, and then select Add/Remove Templates.
    4. Click the button Add, and then double-click the adm file to import it.
    5. After that, you should see the item Classic Administrative Templates (ADM) under Administrative Templates.
    6. Expand the item, and then you can configure the Internet Explorer Enhanced Security Configuration policies as you did in Windows 2003 domain.
0
 
KCTSAuthor Commented:
Thanx to all
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now