Solved

Group Policy to Disable IE Enhanced Security on Server 2008

Posted on 2011-09-12
8
1,839 Views
Last Modified: 2012-06-27
I have a lab with a number of 2008R2 member servers in a 2008R2 Domain.
I am trying to find a group policy setting to switch off IE Enhanced Security but cannot find the option

Does the option exist?
0
Comment
Question by:KCTS
8 Comments
 
LVL 12
ID: 36522735
0
 
LVL 77

Expert Comment

by:arnold
ID: 36522829
Enhanced security is a windows add-on which you could enforce through setting it for regular users while exempting administrative.
Win2k3 white paper on the matter to manage via GPO:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=15013
I've not gone through the document, but thing the way it manages it is by defining within the GPO trusted sites which would be exempt from/bypass the enhanced security setting.
user configuration\Administrative templates\windows components\internet Explorer\Internet control panel\security page\
trusted site, etc.
Per user
or
http://social.technet.microsoft.com/forums/en-US/winserverGP/thread/14aa9d58-0e06-4236-b92c-ca770a464073 that includes a link to http://www.gpanswers.com/community/viewtopic.php?p=7868 as well as a post following this comment/link that deals with downloading an ADM file to to do what you want.
http://www.microsoft.com/download/en/details.aspx?id=18664
http://www.microsoft.com/download/en/search.aspx?q=ADM%20templates

http://technet.microsoft.com/en-us/library/cc780445%28WS.10%29.aspx
http://support.microsoft.com/kb/815141
http://technet.microsoft.com/en-us/library/cc728150%28WS.10%29.aspx

This is for windows 2008 by MS that covers the initial guide on adding sites to specific zones, which you might not want to do if you have many
http://technet.microsoft.com/en-us/library/dd883248%28WS.10%29.aspx

i was unable to locate a quick command line option that would uninstall/deselect this feature.
0
 
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 36523075
In Windows Server 2008, this doesn’t work anymore. You have to click on the root folder in Server Manager. Then you scroll down to the Security Information Section and click “Configure IE ESC”. You can turn off IE ESC for Administrators and/or for users.
 IE Enhanced Security
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 70

Author Comment

by:KCTS
ID: 36523105
I know how to turn it off on a single server - but I have around 50 member servers (used for training and app development), on which I need to switch this off - surely there has to be a better way than doining it machine bu machine
0
 
LVL 77

Expert Comment

by:arnold
ID: 36523294
http://support.microsoft.com/kb/222444
sysocmgr.exe used to work, as http://www.itedge.net/blog/2007/08/08/disable-ie7-protected-mode-on-windows-server-2008/ not sure if it is still present in win2k8.

http://www.networknet.nl/apps/wp/archives/874
Try the command line on one.
If it works, you can push this as a startup directive on the OU to which these servers belong. To avoid having it run, you may want to have a check whether enhanced security is enabled.
http://www.vbsedit.com/scripts/desktop/ie/scr_258.asp
0
 
LVL 6

Accepted Solution

by:
mkuehngoe earned 250 total points
ID: 36528201
you can script it (using GPO or GPO preferences) like this:
You need two reg files, one for users, one for admins

ADMIN (iehardadmin.reg)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000
@="Applying Enhanced Security Configuration"
"Version"="7,0,6001,18000"
"ComponentID"="IEHardenUser"
"LocalizedName"="@C:\\Windows\\System32\\iesetup.dll,-3011"
"StubPath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,\
  00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,\
  69,00,65,00,73,00,65,00,74,00,75,00,70,00,2e,00,64,00,6c,00,6c,00,2c,00,49,\
  00,45,00,48,00,61,00,72,00,64,00,65,00,6e,00,55,00,73,00,65,00,72,00,00,00
"Dontask"=dword:00000002
"Locale"="en"

USER (ieharduser.reg)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000
@="Applying Enhanced Security Configuration"
"Version"="7,0,6001,18000"
"ComponentID"="IEHardenAdmin"
"LocalizedName"="@C:\\Windows\\System32\\iesetup.dll,-3010"
"StubPath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,\
  00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,\
  69,00,65,00,73,00,65,00,74,00,75,00,70,00,2e,00,64,00,6c,00,6c,00,2c,00,49,\
  00,45,00,48,00,61,00,72,00,64,00,65,00,6e,00,41,00,64,00,6d,00,69,00,6e,00,\
  00,00
"Dontask"=dword:00000002
"Locale"="en"

and finally this cmd
Regedit /s ieharduser.reg
Regedit /s iehardadmin.reg
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin
0
 

Assisted Solution

by:IntrepidIT
IntrepidIT earned 250 total points
ID: 36530798
To do so, you can Download the adm file from the following link and import it to the GPO.

http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

 

Here are the detailed steps:

 

    1. Create a new GPO or use an existing GPO to configure the Internet Explorer Enhanced Security setting.
    2. Right-click a GPO and select Edit.
    3. Expand Computer Configuration\Policies, right-click Administrative Templates, and then select Add/Remove Templates.
    4. Click the button Add, and then double-click the adm file to import it.
    5. After that, you should see the item Classic Administrative Templates (ADM) under Administrative Templates.
    6. Expand the item, and then you can configure the Internet Explorer Enhanced Security Configuration policies as you did in Windows 2003 domain.
0
 
LVL 70

Author Closing Comment

by:KCTS
ID: 36545555
Thanx to all
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question