Disable/Enable the Internet Explorer Enhanced Security Configuration for Admins with Group Policy

One of the biggest security threats to a server is having a web browser installed. Running a server in Server Core mode resolves this problem; but, what do you do when you need the GUI enabled? This is the reason that Microsoft introduced Internet Explorer Enhanced Security Configuration in Windows Server 2003. Unfortunately, like a lot of other great features, Microsoft didn’t give us any kind of obvious Group Policy setting to enable or disable the feature. The good news? It is just a Registry entry that can be tweaked with Group Policy Preferences.

internet_explorer_enhanced_security_configuration

First, you’ll need a Group Policy Object that will contain the settings. In my example, I’ve used a standalone GPO for testing purposes; but, this could easily go in the policy that applies to all your servers or a sub-set of your servers. Note: I created all these screenshots on Server 2012 so that the Registry keys would exist. If you’re doing this on a desktop OS, you may need to copy/paste over a few of the Registry keys.

Open your GPO, and navigate to Computer Configuration > Preferences > Windows Settings > Registry. Right-click on Registry and choose New > Registry Item.

01-disable_ie_esc_with_group_policy

In the New Registry Properties windows, click the […] button next to Key Path.

02-disable_ie_esc_with_group_policy

Navigate down to the following Registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}

Once you’re there, click the key, then click “IsInstalled,” and click Select.

03-disable_ie_esc_with_group_policy

You should end up with a screen that looks something like this:

04-disable_ie_esc_with_group_policy
Note that if you’re creating this on a server, the ‘Value data’ field will be populated based on how the IE ESC is currently configured: 00000001 for Enabled and 00000000 for Disabled.

Here’s how you can set the settings manually:

Action: Update
Hive:
HKEY_LOCAL_MACHINE
Key Path:
SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
Value name: IsInstalled
Value type: REG_DWORD
Value data: 00000001 (IE ESC is Enabled for Admins)
Value data: 00000000 (IE ESC is Disabled for Admins)
Base: Hexadecimal

The final product should look something like this in the Group Policy Management Console:

05-disable_ie_esc_with_group_policy

While this setting will apply the next time Group Policy refreshes (or when you manually run gpupdate), the actively logged in user will need to log out and back in for the setting to take effect.

Note: This setting works on all version of Windows Server that includes the IE ESC feature. For Windows Server 2003 R2, you will need to install the Group Policy Preferences Client Side Extensions.

Kyle Beckman

Kyle Beckman

Kyle is a Systems Administrator with 15+ years of experience. He currently works in Higher Education supporting everything from smartphones to desktop PC's to Hyper-V Failover Clusters. (If it has a IP address, he probably supports it!) He has also worked in Small Business IT consulting supporting a wide variety of businesses and non-profit organizations.

Kyle is also the Vice President of the Atlanta Windows Infrastructure and Virtualization User Group (WINVUG).You can find additional articles he's written on 4sysops.com.
Kyle Beckman

Leave a Reply

Your email address will not be published. Required fields are marked *

© trekker.net