Solved

Group Policy to Disable IE Enhanced Security on Server 2008

Posted on 2011-09-12
8
1,889 Views
Last Modified: 2012-06-27
I have a lab with a number of 2008R2 member servers in a 2008R2 Domain.
I am trying to find a group policy setting to switch off IE Enhanced Security but cannot find the option

Does the option exist?
0
Comment
Question by:KCTS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 12
ID: 36522735
0
 
LVL 78

Expert Comment

by:arnold
ID: 36522829
Enhanced security is a windows add-on which you could enforce through setting it for regular users while exempting administrative.
Win2k3 white paper on the matter to manage via GPO:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=15013
I've not gone through the document, but thing the way it manages it is by defining within the GPO trusted sites which would be exempt from/bypass the enhanced security setting.
user configuration\Administrative templates\windows components\internet Explorer\Internet control panel\security page\
trusted site, etc.
Per user
or
http://social.technet.microsoft.com/forums/en-US/winserverGP/thread/14aa9d58-0e06-4236-b92c-ca770a464073 that includes a link to http://www.gpanswers.com/community/viewtopic.php?p=7868 as well as a post following this comment/link that deals with downloading an ADM file to to do what you want.
http://www.microsoft.com/download/en/details.aspx?id=18664
http://www.microsoft.com/download/en/search.aspx?q=ADM%20templates

http://technet.microsoft.com/en-us/library/cc780445%28WS.10%29.aspx
http://support.microsoft.com/kb/815141
http://technet.microsoft.com/en-us/library/cc728150%28WS.10%29.aspx

This is for windows 2008 by MS that covers the initial guide on adding sites to specific zones, which you might not want to do if you have many
http://technet.microsoft.com/en-us/library/dd883248%28WS.10%29.aspx

i was unable to locate a quick command line option that would uninstall/deselect this feature.
0
 
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 36523075
In Windows Server 2008, this doesn’t work anymore. You have to click on the root folder in Server Manager. Then you scroll down to the Security Information Section and click “Configure IE ESC”. You can turn off IE ESC for Administrators and/or for users.
 IE Enhanced Security
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 70

Author Comment

by:KCTS
ID: 36523105
I know how to turn it off on a single server - but I have around 50 member servers (used for training and app development), on which I need to switch this off - surely there has to be a better way than doining it machine bu machine
0
 
LVL 78

Expert Comment

by:arnold
ID: 36523294
http://support.microsoft.com/kb/222444
sysocmgr.exe used to work, as http://www.itedge.net/blog/2007/08/08/disable-ie7-protected-mode-on-windows-server-2008/ not sure if it is still present in win2k8.

http://www.networknet.nl/apps/wp/archives/874
Try the command line on one.
If it works, you can push this as a startup directive on the OU to which these servers belong. To avoid having it run, you may want to have a check whether enhanced security is enabled.
http://www.vbsedit.com/scripts/desktop/ie/scr_258.asp
0
 
LVL 6

Accepted Solution

by:
mkuehngoe earned 250 total points
ID: 36528201
you can script it (using GPO or GPO preferences) like this:
You need two reg files, one for users, one for admins

ADMIN (iehardadmin.reg)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000
@="Applying Enhanced Security Configuration"
"Version"="7,0,6001,18000"
"ComponentID"="IEHardenUser"
"LocalizedName"="@C:\\Windows\\System32\\iesetup.dll,-3011"
"StubPath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,\
  00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,\
  69,00,65,00,73,00,65,00,74,00,75,00,70,00,2e,00,64,00,6c,00,6c,00,2c,00,49,\
  00,45,00,48,00,61,00,72,00,64,00,65,00,6e,00,55,00,73,00,65,00,72,00,00,00
"Dontask"=dword:00000002
"Locale"="en"

USER (ieharduser.reg)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000
@="Applying Enhanced Security Configuration"
"Version"="7,0,6001,18000"
"ComponentID"="IEHardenAdmin"
"LocalizedName"="@C:\\Windows\\System32\\iesetup.dll,-3010"
"StubPath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,\
  00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,\
  69,00,65,00,73,00,65,00,74,00,75,00,70,00,2e,00,64,00,6c,00,6c,00,2c,00,49,\
  00,45,00,48,00,61,00,72,00,64,00,65,00,6e,00,41,00,64,00,6d,00,69,00,6e,00,\
  00,00
"Dontask"=dword:00000002
"Locale"="en"

and finally this cmd
Regedit /s ieharduser.reg
Regedit /s iehardadmin.reg
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin
0
 

Assisted Solution

by:IntrepidIT
IntrepidIT earned 250 total points
ID: 36530798
To do so, you can Download the adm file from the following link and import it to the GPO.

http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

 

Here are the detailed steps:

 

    1. Create a new GPO or use an existing GPO to configure the Internet Explorer Enhanced Security setting.
    2. Right-click a GPO and select Edit.
    3. Expand Computer Configuration\Policies, right-click Administrative Templates, and then select Add/Remove Templates.
    4. Click the button Add, and then double-click the adm file to import it.
    5. After that, you should see the item Classic Administrative Templates (ADM) under Administrative Templates.
    6. Expand the item, and then you can configure the Internet Explorer Enhanced Security Configuration policies as you did in Windows 2003 domain.
0
 
LVL 70

Author Closing Comment

by:KCTS
ID: 36545555
Thanx to all
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question