Disable IE Enhanced Security on Windows Server 2012. Disable IE Enhanced Security on Windows Security Configuration setting within Windows Server 2012.

Jan 28, 2013  The Windows Server 2012 Security Baseline is integrated recommended security settings, Server Security 1.0; Windows Server 2012.

In this dialog box in Internet Explorer Maintenance IEM, you can customize preference settings in the Inetset.iem file for the users and computers in your organization. These settings can also be set using Internet Options in Control Panel or using Group Policy administrative templates.

Certain Internet Settings options are only supported in either Internet Explorer 6 or Internet Explorer 8. For example, the following Advanced settings options are supported in Internet Explorer 6, but are not supported in Internet Explorer 8:

For this version of IEM, all settings in this dialog box have been converted to true policies that can be managed from Group Policy. These settings are located in Group Policy under Computer Configuration or User Configuration at Administrative Templates Windows Components Internet Explorer Internet Settings.

You must be a member of the Administrators group to work with IEM and Group Policy objects GPOs.

To configure Internet Settings for Internet Explorer using IEM

In IEM, right-click Internet Explorer Maintenance, and then click Preference Mode.

In the left pane, click Advanced, and then in the right pane double-click Internet Settings.

Edit the values in one or more of the following dialog boxes:

AutoComplete. Use this dialog box to specify whether you want Windows to complete entries that are typed by users, based on entries they have used before. This includes URLs in the Internet Explorer address bar, paths in the Windows Explorer address bar, and various fields in Web forms, including passwords. For example, if you start typing and you have visited before, AutoComplete will suggest In particular, you can disable your users ability to save passwords by clearing the Prompt to save passwords check box. The settings available in this dialog box are more detailed than the settings available in Internet Options.

Display Settings. Use this dialog box to configure various display settings, including default text size, background colors, and link colors for visited and non-visited sites. These settings are also available in Internet Options on the General tab.

Advanced Settings. Use this dialog box to configure settings for connections, multimedia, security, printing, browsing, and searching. In addition, you can specify whether you want to enable the Microsoft VM virtual machine logging and Microsoft VM JIT just in time compiler features. You may want to disable these features to restrict the use of Active Content and/or to comply with the Internet Explorer Enhanced Security Configuration default settings. These settings are a subset of the settings that are available in Internet Options on the Advanced tab. For more information about restricting Active Content, see article 154036 in the Microsoft Knowledge Base 67807. For more information about default settings, see Managing Internet Explorer Enhanced Security Configuration, 26091.

URL Encoding. Configure this option to specify whether to use UTF-8. This enables your users to exchange URLs that contain characters from any language.

Component Updates. Use this dialog box to specify whether you want to update Internet Explorer and the cipher strength value in About Internet Explorer on the Help menu. For Internet Explorer updates, you can use the default URL that points to Internet Explorer downloads 67690, or you can specify another site used by your company. In addition, you can specify how often you want your computers to check for updates.

Configure Internet Settings

Immediately after installing Windows Server 2012, we will be trying to access the Internet Explorer, from there only we will be downloading other browsers and start.

Have you seen this. Or similar in SharePoint 2010.

This is just a quick guide to disabling the setting that makes Internet Explorer unbarable in a labb or test environment. Often, you do use the browser on the lab, dev or test server to quickly verify functionality or in SharePoint, to access Central Administration web site and make the first initial configurations. When IE ESC is eneabled, you get popups all the time and you are asked to add every new url to the IE trusted sites zone.

So, on a dev, test or lab server, it is ok to disable it, at least if you ask me. As long as you are aware of what you are doing and that it after all does provide an extra layer of security.

At the end of this post, I have added what all the settings in IE ESC really does, one by one.

Updated 2013-02-06 – Added link menu

GUI – Graphical User Interface

1. On the Windows Server 2012 server desktop, locate and start the Server Manager.

2. Select Local Server The server you are currently on and the one that needs IE ESC turned off

3. On the right side of the Server Manager, you will by default find the IE Enhanced Security Configuration Setting. The default is On

4. You have two settings that can be disabled, one only affects the Administrators and the other all users. The preferred method when testing if for example SharePoint is to use a non-admin account and if that is the case, disable the IEESC only for users. Using a local administrator account would cause an additional threat to security and it will also often not give you the required result in tests, since the administrator has permissions where a normal user do not.

Make your selection to Off for Administrators, Users or both.

5. In this example, I have selected to completely disable Internet Explorer Enhanced Security. When your seelction is made, click OK.

6. Back in the Server Manager, you will see that the setting has not changed at all. Press F5 to refresh the Server Manager and you wil see that it is changed to Off.

Done, open up a IE browser windows and try to access any internal site to test the setting, you will notice that you no longer are prompted in the same way.

Best I can do, if you know of any OOB CMDlets that does the trick, please drop a comment and let me know:

Put the code below in a textfile and save it with a ps1 extension i.e. Disable-IEESC.ps1

This will disable both Administrator and User IE ESC

AdminKey HKLM: SOFTWARE Microsoft Active Setup Installed Components A509B1A7-37EF-4b3f-8CFC-4F3A74704073

UserKey HKLM: SOFTWARE Microsoft Active Setup Installed Components A509B1A8-37EF-4b3f-8CFC-4F3A74704073

Set-ItemProperty -Path AdminKey -Name IsInstalled -Value 0

Set-ItemProperty -Path UserKey -Name IsInstalled -Value 0

Write-Host IE Enhanced Security Configuration ESC has been disabled. -ForegroundColor Green

You have to hit enter twice after pasting the script if you paste it directly into a PS prompt

IMPORTANT. Do NOT disable IE ESC on any production servers or servers with live data on them, to disable IE ESC is to reduce the security and can potentially expose the server to attacks. By the way, on a production server: IE shall not be used at all.

More on IE ESC from Microsoft help:

From Windows Server 2008R2 helkp, 2012 help leads to an empty web page.

Internet Explorer Enhanced Security Configuration Overview

Windows Internet Explorer Enhanced Security Configuration IE ESC configures your server and Internet Explorer in a way that decreases the exposure of your server to potential attacks through Web content and application scripts. This is done by raising the default security levels on Internet Explorer security zones and changing the default settings.

IE ESC can be enabled or disabled by using Server Manager for members of the local Administrators group only or for all users that log on to the computer.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

Note:   If Internet Explorer is open when IE ESC is enabled or disabled, you must   restart Internet Explorer for the IE ESC changes to become active.

Note: IE ESC will   automatically be disabled if Terminal Services or Remote Desktop Services is   installed on a computer that has IE ESC enabled, but it can be enabled again   by using Server Manager.

When IE ESC is enabled on Windows Server 2008 R2, the security levels for several built-in security zones are changed. The following describes these changes.

All Web sites are assigned to this zone by default. Web pages might not display as expected, and applications that require the Web browser might not work correctly because scripts, ActiveX controls, and file downloads have been disabled. If you trust an Internet Web site, you can add that site to the Trusted sites zone.

This zone is for the Internet sites whose content you trust.

When visiting Web sites on your organization s intranet, you might be repeatedly prompted for credentials because IE ESC disables the automatic detection of intranet Web sites. To automatically send credentials to selected intranet sites, add those sites to the Local intranet zone. Additionally, access to scripts, executable files, and other files in a shared folder are restricted unless the shared folder is added to this zone.

This zone contains sites that are not trusted, such as malicious Web sites.

Internet Explorer maintains two different lists of sites for the Trusted sites zone: one list when IE ESC is enabled and a separate list when it is disabled. When you add a Web site to the Trusted sites zone, you are adding it only to the list that is currently being used.

If you attempt to browse a Web site that uses scripting or ActiveX controls, Internet Explorer with IE ESC enabled will prompt you to consider adding the site to the Trusted sites zone. You should add the Web site to the Trusted sites zone only if you are sure that the Web site is trustworthy. If this prompt is disabled, it can be enabled again by selecting the Display enhanced security configuration dialog check box in the Advanced tab of the Internet Options dialog box. For more information about adding Web sites to Internet Explorer security zones, see Security zones: adding and removing websites 81287.

In addition to raising the default security level of each zone, IE ESC also adjusts Internet options to further reduce exposure to possible future security threats. These settings can be found on the Advanced tab of the Internet Options dialog box. The following describes the options that are changed when IE ESC is enabled.

Enable third-party browser extensions

Disables Internet Explorer add-ons that might have been created by companies other than Microsoft.

Disables music and other sounds.

Check for server certificate revocation

Automatically checks a Web site s certificate to determine if the certificate has been revoked.

Do not save encrypted pages to disk

Disables saving encrypted information in the Temporary Internet Files folder.

Empty Temporary Internet Files folder when browser is closed

Automatically clears the Temporary Internet Files folder when Internet Explorer is closed.

Warn if changing between secure and not secure mode

Displays a warning when a Web site is redirecting the browser from a Web site with security features implemented HTTPS to a Web site without security features implemented HTTP.

The Internet Explorer home page location is changed when IE ESC is enabled or disabled. This change ensures that the home page will open without prompting the user to add it to the Trusted sites zone. This is done by changing the home page to an HTML file stored locally on the computer. If you want to change the home page when IE ESC is enabled, add this home page to the Trusted sites zone before making the change. The following lists the home page associated with each scenario.

IE ESC is enabled, and the user account is a member of the local Administrators group.

res://iesetup.dll/HardAdmin.htm

IE ESC is disabled, and the user account is a member of the local Administrators group.

res://iesetup.dll/SoftAdmin.htm

IE ESC is enabled, and the user account is not a member of the local Administrators group.

res://iesetup.dll/HardUser.htm

Note: If Internet Explorer   is customized by using the Internet Explorer Administration Kit, the home   page is not changed to one of the IE ESC home pages listed in the table when   IE ESC is enabled or disabled.

These changes reduce the functionality in Web pages, Web-based applications, local network resources, and applications that use a browser to display Help, support, and general user assistance.

When IE ESC is enabled, the following Web sites are added to the appropriate security zones:

The Windows Update and Windows Error Reporting Web sites are added to the Trusted sites zone.

are added to the Local intranet zone.

_________________________________________________________

Twitter Technet Profile LinkedIn

What s New in Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11.

Home Windows Server 2012 R2 Windows Server 2008 R2 Library Forums. To configure Internet Settings for Internet see Managing Internet Explorer.