Note You are more likely to experience this behavior on a terminal server that you configured from a prepared image (Sysprepped image).
Method 1: Rebuild the terminal serverIf the terminal server was configured to have Internet Explorer Enhanced Security Configuration enabled and if the terminal server is in a locked down environment, you may be unable to completely remove Internet Explorer Enhanced Security Configuration.
In this case, it may be quicker to rebuild the terminal server. When you do this, use an Unattend.txt file together with the Windows Setup program to disable Internet Explorer Enhanced Security Configuration during the installation of Windows.
Method 2: Modify Internet Explorer settings for administrator accountsFor administrator accounts, you can run the following command to turn off Internet Explorer Enhanced Security Configuration:
Method 3: Remove the IEHarden registry entry for particular standard user accountsImportant This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
To turn off Internet Explorer Enhanced Security Configuration for a few user accounts, you can remove the IEHarden registry entry from each standard user account profile. To do this, follow these steps:
- Log on to the terminal server by using the credentials of the standard user account.
- Click Start, click Search, and then search for the Regedit.exe file.
- Right-click regedit.exe, and then click Run as.
- Click The following user, type an account name that has administrative credentials, and then click OK.
- Locate and then click the following registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zonemap
- In the details pane, right-click IEHarden, click Modify, type 0 (zero) in the Value data box, and then click OK.
Note You can also remove this registry entry.
- Locate and then click the following registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- In the details pane, right-click IEHardenIENoWarn, click Modify, type 0 (zero) in the Value data box, and then click OK.
Note You can also remove this registry entry.
- Exit Registry Editor, and then start Internet Explorer.
- On the Tools menu, click Internet Options.
- Click the Advanced tab, click Restore Defaults, and then click OK.
Method 4: Create a new default profile for standard user accountsYou may have an environment in which one or more of the following conditions are true:
- You want to turn off Internet Explorer Enhanced Security Configuration for all users.
- You use application publishing for Internet Explorer. In this scenario, no shell is available in which to load a user's profile. Therefore, the .DEFAULT registry subkey is used for the user profile information.
- You use a Citrix-based terminal server, and no local profile exists for a user or for users. In this scenario, the Citrix system uses the .DEFAULT registry subkey for user profile information.
- Create a new user account that has full rights to the Windows desktop. For example, use an account that has administrative credentials.
- Log on to the terminal server by using this new account, and then turn off Internet Explorer Enhanced Security Configuration by using the "Add or Remove Programs" item in Control Panel.
- Log off the terminal server.
- Copy the NTUser.dat file from this new account profile to the Default User profile folder on the terminal server.
Note This action overwrites the existing NTUser.dat file in the Default User profile folder. Therefore, you may want to back up the original NTUser.dat file before you perform this action.
- Create a Group Policy object to disable or to enable Internet Explorer hardening in the Active Directory directory service. To do this, follow these steps in the "Using Group Policy to Enable or Disable Internet Explorer Enhanced Security Configuration by Setting Preferences with InetESC.adm" section of the Managing Internet Explorer Enhanced Security Configuration white paper. To obtain this white paper, visit the following Microsoft Web site:
Article ID: 933991 - Last Review: Jul 9, 2009 - Revision: 1