How to disable IE Enhanced Security on Windows 2003 & Windows 2008 Server silently?

Hi Everyone!

Axel Rivera again from the IE Escalation team with another IE Enhanced security topic for your viewing pleasure!

UPDATE: I have tested the .bat file that will disable IE Enhanced Security for both Windows 2003 / Windows 2008  and 2012 TS Servers. The key is that you have to execute the files while logon with the problem user.  Basically, once your user have these setting on their profile, the only way to remove it is to either Delete the profile and let it re-create again from a fixed profile or execute the fix mention in this article.

In this Blog I would like to share a batch file I use to help disable IE Enhanced Security silently on Windows servers.  The challenge is that if you have multiple servers, removing it from server console is not practical and can require tremendous administrative overhead.

Please note:  This is the same task can be achieved from the Windows Add Removed Programs User Interface on Windows 2003 server and From Windows 2008 Server Manager Console!

Cut and paste the lines below into notepad and save the file as "DisableIEES.bat".  This will create a simple batch which can be used to disable IEES (IE Enhanced Security) or download it  here!

REM  IEHarden Removal Project
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003 and 2008(including R2)
REM  IEHarden Removal Project End
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server

:: Rem out if you like to Backup the registry keys
::REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg"
::REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg"

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f

::Disables IE Harden for user if set to 1 which is enabled
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f

::Removing line below as it is not needed for Windows 2003 scenarios. You may need to enable it for Windows 2008 scenarios
::Rundll32 iesetup.dll,IEHardenLMSettings
Rundll32 iesetup.dll,IEHardenUser
Rundll32 iesetup.dll,IEHardenAdmin
Rundll32 iesetup.dll,IEHardenMachineNow

::This apply to Windows 2003 Servers
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /f /va
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /f /va

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /t REG_DWORD /d 0 /f

::REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /f /va
::REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /f /va

:: Optional to remove warning on first IE Run and set home page to blank. remove the :: from lines below
:: 32-bit HKCU Keys
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "First Home Page" /f
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t REG_SZ /d "about:blank" /f
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "about:blank" /f
:: This will disable a warning the user may get regarding Protected Mode being disable for intranet, which is the default.
:: See article
:: Intranet Protected mode is disable. Warning should not appear and this key will disable the warning
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "NoProtectedModeBanner" /t REG_DWORD /d 1 /f

:: Removing Terminal Server Shadowing x86 32bit
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
:: Removing Terminal Server Shadowing Wow6432Node
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f

Here is where you can set the login script in a policy:

> From Start\run type: gpedit.msc

> From User Configuration

   > Windows Settings

      > Scripts(logon\logoff)

         > Select Logon

            > Click on the Add... btn

            > Click on the Browse... bnt

            > Navigate to the directory where you have the file I sent you (EXE or BAT)

               [You can copy the file to the default Logon script directory: %windir%\system32\grouppolicy\user\scripts\logon]

            > Apply and OK btn to complete

> Close GPEdit.msc

> Start\run type: gpupdate /force to update the policy

> Login with a profile you know have the problem and see if this takes care of the problem.

More information:

There are two parts to turning off IE Enhanced Security.

We need to first identify the registry keys used to change the IE Enhanced Configuration Settings.

Here are the keys as a .reg export format:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]





[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents]



Then, we use the rundll32.exe command to execute the IEHarden.inf with some parameters to help turn off , the Machine "IEHardenMachineNow", Administrator "IEHardenAdminand" and User "IEHardenUser" configuration.

Here is the command I use to turn off IE Maintenance using the IEHarden.inf file:

Rundll32 iesetup.dll,IEHardenUser

Rundll32 iesetup.dll,IEHardenAdmin

Rundll32 iesetup.dll,IEHardenMachineNow

After you execute the batch file from an existing user profile, you should consider logging out and login back in to make sure the changes take effect.  New users should now have IE Enhanced Security disabled.


Disabling IE Enhanced Security from Windows 2008 Server

To enable or disable IE ESC for all users that log on to the computer

  • Close Internet Explorer.
  • Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.
  • If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
  • Under Security Information, click Configure IE ESC.

Note: Server Manager opens with the same window that was in use when it was last closed. If you do not see the Security Information section, click Server Manager in the console tree.

  • To disable IE ESC, click Off under both Administrators and Users, and then click OK. [ If when you are viewing the Internet Settings you see that the Security Zones are still gray-out enable IE ESC again and Disable it to make sure these settings takes effect. Internet Explorer should be closed When making these changes ]

Note: If Internet Explorer is open when IE ESC is enabled or disabled, you must restart Internet Explorer for the IE ESC changes to become active.


Other Related Blog Post:




The IE Support Team

Comments (8)

  1. Frank Lesniak says:

    Awesome! Does this also apply to Server 2008 R1/R2?

  2. Christian M says:

    Is there a way using a script / tool like OCSetup to enable/disable IE ESC on Microsoft Windows Server 2008 (R2) OSs?

    I played around with an unattend.xml, tried to run it after/post install using OCSetup, but i havn’t been successful so far..

    in the past (Windows Server 2003) we managed the IE ESC using an inf-file like:




    and gave that file as an instruction to the SysOCManager like:

    SYSOCMGR.EXE /i:%windir%infsysoc.inf /u:%SystemDrive%OSSetupUn-HardenIE.inf

    we’ve looked around for a similiar approach, but there are only hacks using RegKey to manipulate, resulting in a non-functional behaviour of the ServerManager GUI…

    help’s really apperciated.


  3. Kevin says:

    This is great!  I’ve been doing this through an active directory GPO template, but I’ve been looking for quite a while to find the registry keys.  Thanks!

    Christian:  I’ve also used an unattend.xml script to disable IE ESC during installation of Windows Server 2008 R2 virtual machines.  I included the following block in the script:

    &lt;component name=&quot;Microsoft-Windows-IE-ESC&quot; processorArchitecture=&quot;amd64&quot; publicKeyToken=&quot;31bf3856ad364e35&quot; language=&quot;neutral&quot; versionScope=&quot;nonSxS&quot; xmlns:wcm=&quot;<a rel="nofollow" target="_new" href=";">;</a> xmlns:xsi=&quot;<a rel="nofollow" target="_new" href=";&gt;">;&gt;</a>




    Hope it helps.

  4. Rags says:

    You are awesome! This worked like a charm on my 2008 R2 machine.

  5. Mark76 says:

    Thank You. This worked on my Windows Server 2008 with Terminal Services.

  6. Michael Klinteberg says:

    Great article!

    My own solution was to only edit the two registry entries. This did not work as it blocked any changes to the internet zone and was always set to high.

    After reading this article I was missing part 2 (the rundll32 stuff) and now everything is great.

    Thank you.

  7. aalia lyon says:

    Nice blog ,,, This blog help you to find your DLL file is corrupt or missing .please go through this link.

    <a href=…/how-to-remove-rundll-error.html> How To Remove Rundll Error</a>


    Aalia lyon

  8. Anton Boldyrev says:

    Thanks! This article are very useful for me.

Skip to main content