2 Best Ways to Disable IE Enhanced Security on Windows Server

Prajwal Desai
Posted by Prajwal Desai
Disable IE Enhanced Security on Windows Server

In this article, I will show you how to disable IE Enhanced security on Windows Server. Some software programs to work correctly on Windows Server, you need to turn off enhanced security for Internet Explorer.

Internet Explorer Enhanced Security Configuration (IE ESC) establishes security settings that define how users browse Internet and intranet Websites. These settings also reduce the exposure of your server to websites that might present a security risk.

Internet Explorer Enhanced Security Configuration places your server and Internet Explorer in a configuration that decreases the exposure of your server to potential attacks that can occur through Web content and application scripts. As a result, some websites may not display or perform as expected.

Should you turn off IE Enhanced Security Configuration?

From a security perspective, it is not recommended to disable IE enhanced security on your Windows servers because it can reduce the security and can potentially expose the server to attacks. However, when the IE enhanced security is enabled, it prevents websites from displaying correctly in Internet Explorer and can restrict access to network resources, such as files on Universal Naming Convention (UNC) shared folders.

Note: Internet Explorer is now retired by Microsoft. You must use Microsoft Edge instead for a better experience and enhanced security. Take a look at the guide on uninstalling IE on Windows Server.

Content blocked by IE Enhanced Security Configuration

When the IE ESC is enabled, you get a pop-up when you visit a website on the Internet Explorer. Content from the website listed below is being blocked by the Internet Explorer enhanced security configuration. You are asked to add every new URL to the IE trusted sites zone.

To bypass the IE enhanced security configuration error, you need to check the box for “Continue to prompt when website content is blocked.” Only then you can view the website properly.

With enhanced security turned ON, you can add the website to the inclusion lists in the Local intranet or trusted sites zones to view it properly without any issues. That’s a workaround if your organization doesn’t permit you to turn off the IE enhanced security.

Disable IE Enhanced Security on Windows Server
Disable IE Enhanced Security on Windows Server

Disable IE Enhanced Security on Windows Server

To disable enhanced security for Internet Explorer, follow the steps below:

  1. Launch Server Manager on your Windows Server.
  2. On the left-hand side, select Local Server.
  3. To the right, select IE Enhanced Security Configuration.
  4. Select the Off radio button to disable enhanced security for both users and administrators.
  5. Select the Refresh icon on the Server Manager toolbar to see the new settings reflected in the server manager.

The above procedure works on the following Windows Server operating systems:

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
Disable IE Enhanced Security on Windows Server
Disable IE Enhanced Security on Windows Server

You can turn off the IE ESC for both Administrators and Users.

Disable IE Enhanced Security on Windows Server
Disable IE Enhanced Security on Windows Server

Disable IE ESC using Script on Windows Servers

If you want to disable the IE Enhanced Security on multiple Windows Servers, you can run the below VB Script. This script is provided by Microsoft and works on most of Windows Server operating systems.

Perform the following steps to disable Internet Explorer enhanced security configuration via a script:

  1. Create an IEHArden_V5.bat file with the following batch file content.
  2. Run the bat file either at an administrative command prompt or via log-in script.
ECHO OFF
REM  IEHarden Removal Project
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003 and 2008(including R2)
REM  IEHarden Removal Project End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
:: Rem out if you like to Backup the registry keys
::REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg"
::REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg"
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
::x64
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
::Disables IE Harden for user if set to 1 which is enabled
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
::Removing line below as it is not needed for Windows 2003 scenarios. You may need to enable it for Windows 2008 scenarios
::Rundll32 iesetup.dll,IEHardenLMSettings
Rundll32 iesetup.dll,IEHardenUser
Rundll32 iesetup.dll,IEHardenAdmin
Rundll32 iesetup.dll,IEHardenMachineNow
::This apply to Windows 2003 Servers
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /f /va
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /f /va
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /t REG_DWORD /d 0 /f
::REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /f /va
::REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /f /va
:: Optional to remove warning on first IE Run and set home page to blank. remove the :: from lines below
:: 32-bit HKCU Keys
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "First Home Page" /f
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t REG_SZ /d "about:blank" /f
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "about:blank" /f
:: This will disable a warning the user may get regarding Protected Mode being disable for intranet, which is the default.
:: See article http://social.technet.microsoft.com/Forums/lv-LV/winserverTS/thread/34719084-5bdb-4590-9ebf-e190e8784ec7
:: Intranet Protected mode is disable. Warning should not appear and this key will disable the warning
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "NoProtectedModeBanner" /t REG_DWORD /d 1 /f
:: Removing Terminal Server Shadowing x86 32bit
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
:: Removing Terminal Server Shadowing Wow6432Node
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f

Read Next

Share This Article
Prajwal Desai
Posted by Prajwal Desai
Follow:
Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.
4 Comments