?
Solved

Group Policy to Disable IE Enhanced Security on Server 2008

Posted on 2011-09-12
8
Medium Priority
?
1,946 Views
Last Modified: 2012-06-27
I have a lab with a number of 2008R2 member servers in a 2008R2 Domain.
I am trying to find a group policy setting to switch off IE Enhanced Security but cannot find the option

Does the option exist?
0
Comment
Question by:KCTS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 12
ID: 36522735
0
 
LVL 79

Expert Comment

by:arnold
ID: 36522829
Enhanced security is a windows add-on which you could enforce through setting it for regular users while exempting administrative.
Win2k3 white paper on the matter to manage via GPO:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=15013
I've not gone through the document, but thing the way it manages it is by defining within the GPO trusted sites which would be exempt from/bypass the enhanced security setting.
user configuration\Administrative templates\windows components\internet Explorer\Internet control panel\security page\
trusted site, etc.
Per user
or
http://social.technet.microsoft.com/forums/en-US/winserverGP/thread/14aa9d58-0e06-4236-b92c-ca770a464073 that includes a link to http://www.gpanswers.com/community/viewtopic.php?p=7868 as well as a post following this comment/link that deals with downloading an ADM file to to do what you want.
http://www.microsoft.com/download/en/details.aspx?id=18664
http://www.microsoft.com/download/en/search.aspx?q=ADM%20templates

http://technet.microsoft.com/en-us/library/cc780445%28WS.10%29.aspx
http://support.microsoft.com/kb/815141
http://technet.microsoft.com/en-us/library/cc728150%28WS.10%29.aspx

This is for windows 2008 by MS that covers the initial guide on adding sites to specific zones, which you might not want to do if you have many
http://technet.microsoft.com/en-us/library/dd883248%28WS.10%29.aspx

i was unable to locate a quick command line option that would uninstall/deselect this feature.
0
 
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 36523075
In Windows Server 2008, this doesn’t work anymore. You have to click on the root folder in Server Manager. Then you scroll down to the Security Information Section and click “Configure IE ESC”. You can turn off IE ESC for Administrators and/or for users.
 IE Enhanced Security
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 70

Author Comment

by:KCTS
ID: 36523105
I know how to turn it off on a single server - but I have around 50 member servers (used for training and app development), on which I need to switch this off - surely there has to be a better way than doining it machine bu machine
0
 
LVL 79

Expert Comment

by:arnold
ID: 36523294
http://support.microsoft.com/kb/222444
sysocmgr.exe used to work, as http://www.itedge.net/blog/2007/08/08/disable-ie7-protected-mode-on-windows-server-2008/ not sure if it is still present in win2k8.

http://www.networknet.nl/apps/wp/archives/874
Try the command line on one.
If it works, you can push this as a startup directive on the OU to which these servers belong. To avoid having it run, you may want to have a check whether enhanced security is enabled.
http://www.vbsedit.com/scripts/desktop/ie/scr_258.asp
0
 
LVL 6

Accepted Solution

by:
mkuehngoe earned 1000 total points
ID: 36528201
you can script it (using GPO or GPO preferences) like this:
You need two reg files, one for users, one for admins

ADMIN (iehardadmin.reg)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000
@="Applying Enhanced Security Configuration"
"Version"="7,0,6001,18000"
"ComponentID"="IEHardenUser"
"LocalizedName"="@C:\\Windows\\System32\\iesetup.dll,-3011"
"StubPath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,\
  00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,\
  69,00,65,00,73,00,65,00,74,00,75,00,70,00,2e,00,64,00,6c,00,6c,00,2c,00,49,\
  00,45,00,48,00,61,00,72,00,64,00,65,00,6e,00,55,00,73,00,65,00,72,00,00,00
"Dontask"=dword:00000002
"Locale"="en"

USER (ieharduser.reg)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000
@="Applying Enhanced Security Configuration"
"Version"="7,0,6001,18000"
"ComponentID"="IEHardenAdmin"
"LocalizedName"="@C:\\Windows\\System32\\iesetup.dll,-3010"
"StubPath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,\
  00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,\
  69,00,65,00,73,00,65,00,74,00,75,00,70,00,2e,00,64,00,6c,00,6c,00,2c,00,49,\
  00,45,00,48,00,61,00,72,00,64,00,65,00,6e,00,41,00,64,00,6d,00,69,00,6e,00,\
  00,00
"Dontask"=dword:00000002
"Locale"="en"

and finally this cmd
Regedit /s ieharduser.reg
Regedit /s iehardadmin.reg
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin
0
 

Assisted Solution

by:IntrepidIT
IntrepidIT earned 1000 total points
ID: 36530798
To do so, you can Download the adm file from the following link and import it to the GPO.

http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

 

Here are the detailed steps:

 

    1. Create a new GPO or use an existing GPO to configure the Internet Explorer Enhanced Security setting.
    2. Right-click a GPO and select Edit.
    3. Expand Computer Configuration\Policies, right-click Administrative Templates, and then select Add/Remove Templates.
    4. Click the button Add, and then double-click the adm file to import it.
    5. After that, you should see the item Classic Administrative Templates (ADM) under Administrative Templates.
    6. Expand the item, and then you can configure the Internet Explorer Enhanced Security Configuration policies as you did in Windows 2003 domain.
0
 
LVL 70

Author Closing Comment

by:KCTS
ID: 36545555
Thanx to all
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses
Course of the Month8 days, 22 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question