How to manage the IEHarden Setting for users using Group Policy Preferences(GPP)?


In this blog, I am sharing the steps taken to help change the IEHarden setting that may affect users working out of a Terminal Server configuration.

By default, IE Enhanced Security is enabled in Windows and this setting could impact some web applications. In this case scenario, it affected a script from executing for Standard users.

Other scenarios, the user cannot see the items in the trusted site zone settings.

 

Objective: To change the IEHarden registry key for the users using Group Policy Preferences Registry configuration.

Requirements: Be familiar with GPMC.MSC console and Group Policy Preferences.

Applies To: Windows 2000, Windows 2003, Windows 2008, Windows 2012 Servers running Terminal server configuration. Including R2 versions.

Scenarios:

  • You are working out of a Terminal Server
  • Your Trusted Sites Zone settings may be gray out and unable to see the entries
  • You are using Site To Zone Assignment list and appears not to be working
  • Zone GPO not showing in Local Intranet Zone or Trusted Site

STEPS:

  • Open your GMPC.MSC console and navigate to User Configuration / Preferences / Windows Settings
  • Right Click on the Registry object from the left hand pane and select New > registry Item

  • From New Registry Properties, you can fill in the following settings:
    • For Hive: HKEY_CURRENT_USER
    • For Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
    • For Value name: IEHarden
    • For Value Type: REG_DWORD
    • For Value data: 0 OR 00000000

Screenshot:

  • Apply and OK to complete this GPP Configuration

 

NOTE: You may also want to check the following registry keys if this value alone does not help resolved your case scenario. In most cases, this is not needed!

  • HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HEKY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

 

Another way to get the key change is using a batch file, you can easily use the REG.exe to change the settings.

Examples

TO HELP SET THE IEHARDEN VALUE TO 0

ECHO OFF
REM  IEHarden Removal  For Users
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security for users
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003, Windows 2008, Windows 2012 running terminal server configuration
REM  IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

::Disables IE Harden for user if set to 1 which is enabled
REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
REG ADD “HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f

TO COMPLETELY DELETE THE KEY USING A BATCH FILE:

ECHO OFF
REM  IEHarden Removal  For Users
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security for users
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003, Windows 2008, Windows 2012 running terminal server configuration
REM  IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

:: Deletes the IE Harden for users
REG DELETE “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”  /v “IEHarden” /f
REG DELETE “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f
REG DELETE “HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f

 

HOW DO I KNOW THE GPO IS WORKING?

  • The best way to validate the gpo is working is to become familiar with the registry location being affected by this setting. So, simply navigate to the HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap and verify the IEHarden entry exist with REG_DWORD value set to 0 for the logon user account.

Other Related Blog Post:

This blog has been provided to you by the IE Support team!

 

Comments (2)

  1. Jason Warner says:

    Ive done this and I am still having problems with IE ESC not turning off for anyone other than the first admin within the box. I have searched the complete registry and changed every instance of IEharden to 0 and removed profiles and copyied the ntuser.dat into the default profile and then signed back in and this still did not work. Server 2012 R2.

    1. Jason Warner says:

      Internet Explorer, IE ESC, IEharden is set to 0, IE ESC will not disable, Terminal server, RDS, RDP, RDBC, AWS

Skip to main content