FAQ about Internet Explorer Enhanced Security Configuration (ESC)

Applies to: Internet Explorer

What is Internet Explorer Enhanced Security Configuration?


Internet Explorer Enhanced Security Configuration (ESC) establishes security settings that define how users browse the internet and intranet websites. These settings also reduce the exposure of servers to websites that might present a security risk. This process is also known as IEHarden. For more information, see Internet Explorer: Enhanced Security Configuration.

Do I have to enable Internet Explorer ESC?


This feature is enabled by default on servers.

What are the effects of enabling Internet Explorer ESC?


Internet Explorer ESC adjusts the Internet Explorer extensibility and security settings to reduce exposure to possible future security threats. These settings are on the Advanced tab of Internet Options in Control Panel. The following table describes the settings.

Feature

Entry

New setting

Result

Browsing

Display enhanced security configuration dialog box.

On

Displays a dialog box to notify you when an Internet site tries to use scripting or ActiveX Controls.

Browsing

Enable Browser Extensions.

Off

Disables features you installed for use with Internet Explorer that were created by companies other than Microsoft.

Browsing

Enable Install on Demand (Internet Explorer).

Off

Disables installing Internet Explorer components on demand, if needed by a Web page.

Browsing

Enable Install on Demand (Other).

Off

Disables installing Web components on demand, if needed by a Web page.

Microsoft VM

Just-in-time (JIT) compiler for virtual machine enabled (requires restart).

Off

Disables the Microsoft VM compiler.

Multimedia

Do not display online content in the media bar.

On

Disables playback of media content in the Internet Explorer media bar.

Multimedia

Play sounds in Web pages.

Off

Disables music and other sounds.

Multimedia

Play animations in Web pages.

Off

Disables animations.

Multimedia

Play videos in Web pages.

Off

Disables video clips.

Security

Check for server certificate revocation (requires restart).

On

Automatically checks a Web site's certificate to see whether the certificate has been revoked before accepting the certificate as valid.

Security

Check for signatures on downloaded programs.

On

Automatically verifies and displays the identity of programs that you download.

Security

Do not save encrypted pages to disk.

On

Disables saving secured information in your Temporary Internet Files folder.

Security

Empty Temporary Internet Files folder when browser is closed.

On

Automatically clears the Temporary Internet Files folder when you close the browser.

These changes reduce the functionality in webpages, web-based applications, local network resources, and applications that use a browser to display online help, support, and general user assistance.

How can I turn off Internet Explorer ESC on Windows servers?


To turn off Internet Explorer ESC, follow these steps:

  1. Enter Server Manager in Windows Search to start the Server Manager program.
  2. Select Local Server.
  3. Navigate to the IE Enhanced Security Configuration property, select the current setting to open the property page, select the Off option button for the desired users, and then select OK.

    IE ESC setting in server manager

    select-off-option
  4. Select the Refresh icon on the Server Manager toolbar to see the new settings reflected in Server Manager.

    current-ie-esc-setting

The following video demonstrates this procedure.

For more information, see Manage the Local Server and the Server Manager Console.

How can I disable Internet Explorer ESC by using a script?


To disable Internet Explorer ESC by using a script, follow these steps: 

  1. Download and save IEHArden_V5.zip.
  2. Extract IEHArden_V5.bat from the compressed (.zip) file, and then run it either at an administrative command prompt or as part of log-in script by using the procedure that is documented in How to assign user logon scripts.

Contents of the batch file

ECHO OFF# This sample script is not supported under any Microsoft standard support program or service. # The sample script is provided AS IS without warranty of any kind. Microsoft further disclaims # all implied warranties including, without limitation, any implied warranties of merchantability # or of fitness for a particular purpose. The entire risk arising out of the use or performance of # the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, # or anyone else involved in the creation, production, or delivery of the scripts be liable for any # damages whatsoever (including, without limitation, damages for loss of business profits, business # interruption, loss of business information, or other pecuniary loss) arising out of the use of or # inability to use the sample scripts or documentation, even if Microsoft has been advised of the # possibility of such damagesREM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003 and 2008(including R2)REM  Please understand, this is not a recommended step for servers that have any internet access and should be used carefully!REM  Please review the folowing Article for more IE Enhanced Security Configuration https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd883248(v=ws.10)?redirectedfrom=MSDNREM  IEHarden Removal Project EndECHO ON::Related Article::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991:: Rem out if you like to Backup the registry keys::REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg" ::REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg"REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /fREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f ::x64REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f::Disables IE Harden for user if set to 1 which is enabledREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /fREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /fREG ADD "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f::Removing line below as it is not needed for Windows 2003 scenarios. You may need to enable it for Windows 2008 scenarios::Rundll32 iesetup.dll,IEHardenLMSettingsRundll32 iesetup.dll,IEHardenUserRundll32 iesetup.dll,IEHardenAdminRundll32 iesetup.dll,IEHardenMachineNow::This apply to Windows 2003 ServersREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /f /vaREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /f /vaREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /t REG_DWORD /d 0 /fREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /t REG_DWORD /d 0 /f::REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /f /va::REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /f /va:: Optional to remove warning on first IE Run and set home page to blank. remove the :: from lines below:: 32-bit HKCU KeysREG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "First Home Page" /fREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t REG_SZ /d "about:blank" /fREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "about:blank" /f:: This will disable a warning the user may get regarding Protected Mode being disable for intranet, which is the default.:: See article http://social.technet.microsoft.com/Forums/lv-LV/winserverTS/thread/34719084-5bdb-4590-9ebf-e190e8784ec7 :: Intranet Protected mode is disable. Warning should not appear and this key will disable the warningREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "NoProtectedModeBanner" /t REG_DWORD /d 1 /f:: Removing Terminal Server Shadowing x86 32bit REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f:: Removing Terminal Server Shadowing Wow6432NodeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f

How can I manage the IEHarden Setting for users by using Group Policy Preferences (GPP)?


To change the IEHarden setting for users by using Group Policy Preferences Registry configuration, follow these steps:

  1. Open the GPMCM.msc console, and then navigate to User Configuration > Preferences > Windows Settings.
  2. In the navigation pane, right-click the Registry object, and then select New > Registry Item.

    new-a-registry-item
  3. In IEHarden Properties, specify the following settings:

    Location: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
    Value name: IEHarden
    Value type: REG_DWORD
    Value data: 0 or 00000000

    registry-settings
  4. Select Apply and OK to complete this GPP configuration.

Note You may also want to check the following registry subkeys if this value does not resolve the problem. In most cases, this is not necessary.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

After I disabled ESC by using Server Manager, Internet Explorer doesn't seem to work. What should I do?


To troubleshoot this scenario, refer to Standard users can't turn off Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server or a later version. Basically, you may have to enable or disable ESC again. Targeting the registry may be the easiest way to resolve this problem.