Disable/Enable the Internet Explorer Enhanced Security Configuration for Users/Non-Admins with Group Policy

In a previous post, I covered disabling/enabling the Internet Explorer Enhanced Security Configuration (IE ESC) for Administrators via Group Policy. Disabling the IE ESC for Administrators is usually something I don’t recommend in a production environment. However, disabling it for Users/Non-Administrators is a different story. In most cases, you won’t have someone logging in to a console or over Remote Desktop (RDP) to your servers that doesn’t have Admin rights… that is unless your running Terminal Services/Remote Desktop Services or a third-party product like XenApp. In those environments, it is very normal to have users logged into a remote session that do need access to fully functional web browser. Microsoft didn’t give us any kind of obvious Group Policy setting to enable or disable the IE ESC. Like the setting for Admins, it is a Registry entry that can be tweaked with Group Policy Preferences for deployment to groups of servers so than you can make sure your end users are receiving a consistent environment.

internet_explorer_enhanced_security_configuration

First, you’ll need a Group Policy Object that will contain the settings. In my example, I’ve used a standalone GPO for testing purposes; but, this could easily go in the policy that applies to all your servers or a sub-set of your servers. Note: I created all these screenshots on Server 2012 so that the Registry keys would exist. If you’re doing this on a desktop OS, you may need to copy/paste over a few of the Registry keys.

Open your GPO, and navigate to Computer Configuration > Preferences > Windows Settings > Registry. Right-click on Registry and choose New > Registry Item.

01-disable_ie_esc_with_group_policy

In the New Registry Properties windows, click the […] button next to Key Path.

02-disable_ie_esc_with_group_policy

Navigate down to the following Registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}

Once you’re there, click the key, then click “IsInstalled,” and click Select.

06-disable_ie_esc_with_group_policy

You should end up with a screen that looks something like this:

07-disable_ie_esc_with_group_policy
Note that if you’re creating this on a server, the ‘Value data’ field will be populated based on how the IE ESC is currently configured: 00000001 for Enabled and 00000000 for Disabled.

Here’s how you can set the settings manually:

Action: Update
Hive:
HKEY_LOCAL_MACHINE
Key Path:
SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
Value name: IsInstalled
Value type: REG_DWORD
Value data: 00000001 (IE ESC is Enabled for Users/Non-Admins)
Value data: 00000000 (IE ESC is Disabled for Users/Non-Admins)
Base: Hexadecimal

The final product should look something like this in the Group Policy Management Console:

08b-disable_ie_esc_with_group_policy

While this setting will apply the next time Group Policy refreshes (or when you manually run gpupdate), the actively logged in user(s) will need to log out and back in for the setting to take effect.

Note: This setting works on all version of Windows Server that includes the IE ESC feature. For Windows Server 2003 R2, you will need to install the Group Policy Preferences Client Side Extensions.

One thought on “Disable/Enable the Internet Explorer Enhanced Security Configuration for Users/Non-Admins with Group Policy

  1. 7even August 12, 2013 / 4:26 AM

    Smooooth…..thank you for your great guide!

Leave a Reply