Solved

Group Policy to Disable IE Enhanced Security on Server 2008

Posted on 2011-09-12
8
1,800 Views
Last Modified: 2012-06-27
I have a lab with a number of 2008R2 member servers in a 2008R2 Domain.
I am trying to find a group policy setting to switch off IE Enhanced Security but cannot find the option

Does the option exist?
0
Comment
Question by:KCTS
8 Comments
 
LVL 12
ID: 36522735
0
 
LVL 76

Expert Comment

by:arnold
ID: 36522829
Enhanced security is a windows add-on which you could enforce through setting it for regular users while exempting administrative.
Win2k3 white paper on the matter to manage via GPO:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=15013
I've not gone through the document, but thing the way it manages it is by defining within the GPO trusted sites which would be exempt from/bypass the enhanced security setting.
user configuration\Administrative templates\windows components\internet Explorer\Internet control panel\security page\
trusted site, etc.
Per user
or
http://social.technet.microsoft.com/forums/en-US/winserverGP/thread/14aa9d58-0e06-4236-b92c-ca770a464073 that includes a link to http://www.gpanswers.com/community/viewtopic.php?p=7868 as well as a post following this comment/link that deals with downloading an ADM file to to do what you want.
http://www.microsoft.com/download/en/details.aspx?id=18664
http://www.microsoft.com/download/en/search.aspx?q=ADM%20templates

http://technet.microsoft.com/en-us/library/cc780445%28WS.10%29.aspx
http://support.microsoft.com/kb/815141
http://technet.microsoft.com/en-us/library/cc728150%28WS.10%29.aspx

This is for windows 2008 by MS that covers the initial guide on adding sites to specific zones, which you might not want to do if you have many
http://technet.microsoft.com/en-us/library/dd883248%28WS.10%29.aspx

i was unable to locate a quick command line option that would uninstall/deselect this feature.
0
 
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 36523075
In Windows Server 2008, this doesn’t work anymore. You have to click on the root folder in Server Manager. Then you scroll down to the Security Information Section and click “Configure IE ESC”. You can turn off IE ESC for Administrators and/or for users.
 IE Enhanced Security
0
 
LVL 70

Author Comment

by:KCTS
ID: 36523105
I know how to turn it off on a single server - but I have around 50 member servers (used for training and app development), on which I need to switch this off - surely there has to be a better way than doining it machine bu machine
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 76

Expert Comment

by:arnold
ID: 36523294
http://support.microsoft.com/kb/222444
sysocmgr.exe used to work, as http://www.itedge.net/blog/2007/08/08/disable-ie7-protected-mode-on-windows-server-2008/ not sure if it is still present in win2k8.

http://www.networknet.nl/apps/wp/archives/874
Try the command line on one.
If it works, you can push this as a startup directive on the OU to which these servers belong. To avoid having it run, you may want to have a check whether enhanced security is enabled.
http://www.vbsedit.com/scripts/desktop/ie/scr_258.asp
0
 
LVL 6

Accepted Solution

by:
mkuehngoe earned 250 total points
ID: 36528201
you can script it (using GPO or GPO preferences) like this:
You need two reg files, one for users, one for admins

ADMIN (iehardadmin.reg)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000
@="Applying Enhanced Security Configuration"
"Version"="7,0,6001,18000"
"ComponentID"="IEHardenUser"
"LocalizedName"="@C:\\Windows\\System32\\iesetup.dll,-3011"
"StubPath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,\
  00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,\
  69,00,65,00,73,00,65,00,74,00,75,00,70,00,2e,00,64,00,6c,00,6c,00,2c,00,49,\
  00,45,00,48,00,61,00,72,00,64,00,65,00,6e,00,55,00,73,00,65,00,72,00,00,00
"Dontask"=dword:00000002
"Locale"="en"

USER (ieharduser.reg)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000
@="Applying Enhanced Security Configuration"
"Version"="7,0,6001,18000"
"ComponentID"="IEHardenAdmin"
"LocalizedName"="@C:\\Windows\\System32\\iesetup.dll,-3010"
"StubPath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,\
  00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,\
  69,00,65,00,73,00,65,00,74,00,75,00,70,00,2e,00,64,00,6c,00,6c,00,2c,00,49,\
  00,45,00,48,00,61,00,72,00,64,00,65,00,6e,00,41,00,64,00,6d,00,69,00,6e,00,\
  00,00
"Dontask"=dword:00000002
"Locale"="en"

and finally this cmd
Regedit /s ieharduser.reg
Regedit /s iehardadmin.reg
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin
0
 

Assisted Solution

by:IntrepidIT
IntrepidIT earned 250 total points
ID: 36530798
To do so, you can Download the adm file from the following link and import it to the GPO.

http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

 

Here are the detailed steps:

 

    1. Create a new GPO or use an existing GPO to configure the Internet Explorer Enhanced Security setting.
    2. Right-click a GPO and select Edit.
    3. Expand Computer Configuration\Policies, right-click Administrative Templates, and then select Add/Remove Templates.
    4. Click the button Add, and then double-click the adm file to import it.
    5. After that, you should see the item Classic Administrative Templates (ADM) under Administrative Templates.
    6. Expand the item, and then you can configure the Internet Explorer Enhanced Security Configuration policies as you did in Windows 2003 domain.
0
 
LVL 70

Author Closing Comment

by:KCTS
ID: 36545555
Thanx to all
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now