Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server

Article translations Article translations
Article ID: 933991 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

After you configure a Microsoft Windows Server 2003-based terminal server, standard users cannot turn off the Internet Explorer Enhanced Security Configuration feature. When a standard user clicks to clear the Internet Explorer Enhanced Security Configuration check box, the check box remains clear as expected. However, Internet Explorer Enhanced Security Configuration is still enabled.

Note You are more likely to experience this behavior on a terminal server that you configured from a prepared image (Sysprepped image).

RESOLUTION

To resolve this problem, use one or more of the following methods, as appropriate for your situation.

Method 1: Rebuild the terminal server

If the terminal server was configured to have Internet Explorer Enhanced Security Configuration enabled and if the terminal server is in a locked down environment, you may be unable to completely remove Internet Explorer Enhanced Security Configuration.

In this case, it may be quicker to rebuild the terminal server. When you do this, use an Unattend.txt file together with the Windows Setup program to disable Internet Explorer Enhanced Security Configuration during the installation of Windows.

Method 2: Modify Internet Explorer settings for administrator accounts

For administrator accounts, you can run the following command to turn off Internet Explorer Enhanced Security Configuration:
rundll32.exe setupapi.dll,InstallHinfSection IESoftenAdmin 128 %windir%\inf\IEHARDEN.INF
Note You must run this command by using an account that has administrative credentials. Additionally, for the changes to take effect, you must restart the computer after you run this command.

Method 3: Remove the IEHarden registry entry for particular standard user accounts

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


To turn off Internet Explorer Enhanced Security Configuration for a few user accounts, you can remove the IEHarden registry entry from each standard user account profile. To do this, follow these steps:
  1. Log on to the terminal server by using the credentials of the standard user account.
  2. Click Start, click Search, and then search for the Regedit.exe file.
  3. Right-click regedit.exe, and then click Run as.
  4. Click The following user, type an account name that has administrative credentials, and then click OK.
  5. Locate and then click the following registry subkey:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zonemap
  6. In the details pane, right-click IEHarden, click Modify, type 0 (zero) in the Value data box, and then click OK.

    Note You can also remove this registry entry.
  7. Locate and then click the following registry subkey:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  8. In the details pane, right-click IEHardenIENoWarn, click Modify, type 0 (zero) in the Value data box, and then click OK.

    Note You can also remove this registry entry.
  9. Exit Registry Editor, and then start Internet Explorer.
  10. On the Tools menu, click Internet Options.
  11. Click the Advanced tab, click Restore Defaults, and then click OK.

Method 4: Create a new default profile for standard user accounts

You may have an environment in which one or more of the following conditions are true:
  • You want to turn off Internet Explorer Enhanced Security Configuration for all users.
  • You use application publishing for Internet Explorer. In this scenario, no shell is available in which to load a user's profile. Therefore, the .DEFAULT registry subkey is used for the user profile information.
  • You use a Citrix-based terminal server, and no local profile exists for a user or for users. In this scenario, the Citrix system uses the .DEFAULT registry subkey for user profile information.
In this scenario, follow these steps:
  1. Create a new user account that has full rights to the Windows desktop. For example, use an account that has administrative credentials.
  2. Log on to the terminal server by using this new account, and then turn off Internet Explorer Enhanced Security Configuration by using the "Add or Remove Programs" item in Control Panel.
  3. Log off the terminal server.
  4. Copy the NTUser.dat file from this new account profile to the Default User profile folder on the terminal server.

    Note This action overwrites the existing NTUser.dat file in the Default User profile folder. Therefore, you may want to back up the original NTUser.dat file before you perform this action.
  5. Create a Group Policy object to disable or to enable Internet Explorer hardening in the Active Directory directory service. To do this, follow these steps in the "Using Group Policy to Enable or Disable Internet Explorer Enhanced Security Configuration by Setting Preferences with InetESC.adm" section of the Managing Internet Explorer Enhanced Security Configuration white paper. To obtain this white paper, visit the following Microsoft Web site:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en
    The package in which this white paper is contained includes the InetESC.adm file. You can use this file to configure Internet Explorer Enhanced Security Configuration.

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
815141 Internet Explorer Enhanced Security Configuration changes the browsing experience
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Properties

Article ID: 933991 - Last Review: October 11, 2007 - Revision: 1.5
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
Keywords: 
kbenv kbtshoot kbprb KB933991

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com