Disable/Enable the Internet Explorer Enhanced Security Configuration for Users/Non-Admins with Group Policy

In a previous post, I covered disabling/enabling the Internet Explorer Enhanced Security Configuration (IE ESC) for Administrators via Group Policy. Disabling the IE ESC for Administrators is usually something I don’t recommend in a production environment. However, disabling it for Users/Non-Administrators is a different story.  In most cases, you won’t have someone logging in to a console or over Remote Desktop (RDP) to your servers that doesn’t have Admin rights… that is unless your running Terminal Services/Remote Desktop Services or a third-party product like XenApp.  In those environments, it is very normal to have users logged into a remote session that do need access to fully functional web browser.  Microsoft didn’t give us any kind of obvious Group Policy setting to enable or disable the IE ESC. Like the setting for Admins, it is a Registry entry that can be tweaked with Group Policy Preferences for deployment to groups of servers so than you can make sure your end users are receiving a consistent environment.

First, you’ll need a Group Policy Object that will contain the settings. In my example, I’ve used a standalone GPO for testing purposes; but, this could easily go in the policy that applies to all your servers or a sub-set of your servers. Note: I created all these screenshots on Server 2012 so that the Registry keys would exist. If you’re doing this on a desktop OS, you may need to copy/paste over a few of the Registry keys.

Open your GPO, and navigate to Computer Configuration > Preferences > Windows Settings > Registry. Right-click on Registry and choose New > Registry Item.

In the New Registry Properties windows, click the [...] button next to Key Path.

 

Navigate down to the following Registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}

Once you’re there, click the key, then click “IsInstalled,” and click Select.

You should end up with a screen that looks something like this:

Note that if you’re creating this on a server, the ‘Value data’ field will be populated based on how the IE ESC is currently configured: 00000001 for Enabled and 00000000 for Disabled.

Here’s how you can set the settings manually:

  1. Action: Update
  2. Hive: HKEY_LOCAL_MACHINE
  3. Key Path: SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
  4. Value name: IsInstalled
  5. Value type: REG_DWORD
  6. Value data: 00000001 (IE ESC is Enabled for Users/Non-Admins)
  7. Value data: 00000000 (IE ESC is Disabled for Users/Non-Admins)
  8. Base: Hexadecimal

The final product should look something like this in the Group Policy Management Console:

While this setting will apply the next time Group Policy refreshes (or when you manually run gpupdate), the actively logged in user(s) will need to log out and back in for the setting to take effect.

Note: This setting works on all version of Windows Server that includes the IE ESC feature. For Windows Server 2003 R2, you will need to install the Group Policy Preferences Client Side Extensions.