Disable/Enable the Internet Explorer Enhanced Security Configuration for Admins with Group Policy

One of the biggest security threats to a server is having a web browser installed. Running a server in Server Core mode resolves this problem; but, what do you do when you need the GUI enabled? This is the reason that Microsoft introduced Internet Explorer Enhanced Security Configuration in Windows Server 2003. Unfortunately, like a lot of other great features, Microsoft didn’t give us any kind of obvious Group Policy setting to enable or disable the feature. The good news? It is just a Registry entry that can be tweaked with Group Policy Preferences.


First, you’ll need a Group Policy Object that will contain the settings. In my example, I’ve used a standalone GPO for testing purposes; but, this could easily go in the policy that applies to all your servers or a sub-set of your servers. Note: I created all these screenshots on Server 2012 so that the Registry keys would exist. If you’re doing this on a desktop OS, you may need to copy/paste over a few of the Registry keys.

Open your GPO, and navigate to Computer Configuration > Preferences > Windows Settings > Registry. Right-click on Registry and choose New > Registry Item.


In the New Registry Properties windows, click the […] button next to Key Path.


Navigate down to the following Registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}

Once you’re there, click the key, then click “IsInstalled,” and click Select.


You should end up with a screen that looks something like this:

Note that if you’re creating this on a server, the ‘Value data’ field will be populated based on how the IE ESC is currently configured: 00000001 for Enabled and 00000000 for Disabled.

Here’s how you can set the settings manually:

Action: Update
Key Path:
SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
Value name: IsInstalled
Value type: REG_DWORD
Value data: 00000001 (IE ESC is Enabled for Admins)
Value data: 00000000 (IE ESC is Disabled for Admins)
Base: Hexadecimal

The final product should look something like this in the Group Policy Management Console:


While this setting will apply the next time Group Policy refreshes (or when you manually run gpupdate), the actively logged in user will need to log out and back in for the setting to take effect.

Note: This setting works on all version of Windows Server that includes the IE ESC feature. For Windows Server 2003 R2, you will need to install the Group Policy Preferences Client Side Extensions.

Leave a Reply