Microsoft KB Archive/933991

= Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server =

Article ID: 933991

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Standard x64 Edition

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
After you configure a Microsoft Windows Server 2003-based terminal server, standard users cannot turn off the Internet Explorer Enhanced Security Configuration feature. When a standard user clicks to clear the Internet Explorer Enhanced Security Configuration check box, the check box remains clear as expected. However, Internet Explorer Enhanced Security Configuration is still enabled.

Note You are more likely to experience this behavior on a terminal server that you configured from a prepared image (Sysprepped image).



RESOLUTION
To resolve this problem, use one or more of the following methods, as appropriate for your situation.

Method 1: Rebuild the terminal server
If the terminal server was configured to have Internet Explorer Enhanced Security Configuration enabled and if the terminal server is in a locked down environment, you may be unable to completely remove Internet Explorer Enhanced Security Configuration.

In this case, it may be quicker to rebuild the terminal server. When you do this, use an Unattend.txt file together with the Windows Setup program to disable Internet Explorer Enhanced Security Configuration during the installation of Windows.

Method 2: Modify Internet Explorer settings for administrator accounts
For administrator accounts, you can run the following command to turn off Internet Explorer Enhanced Security Configuration:

rundll32.exe setupapi.dll,InstallHinfSection IESoftenAdmin 128 %windir%\inf\IEHARDEN.INF

Note You must run this command by using an account that has administrative credentials. Additionally, for the changes to take effect, you must restart the computer after you run this command.

Method 3: Remove the IEHarden registry entry for particular standard user accounts
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To turn off Internet Explorer Enhanced Security Configuration for a few user accounts, you can remove the IEHarden registry entry from each standard user account profile. To do this, follow these steps:  Log on to the terminal server by using the credentials of the standard user account. Click Start, click Search, and then search for the Regedit.exe file. Right-click regedit.exe, and then click Run as. Click The following user, type an account name that has administrative credentials, and then click OK. Locate and then click the following registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zonemap

 In the details pane, right-click IEHarden, click Modify, type 0 (zero) in the Value data box, and then click OK.

Note You can also remove this registry entry. Locate and then click the following registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

</li> In the details pane, right-click IEHardenIENoWarn, click Modify, type 0 (zero) in the Value data box, and then click OK.

Note You can also remove this registry entry.</li> Exit Registry Editor, and then start Internet Explorer.</li> On the Tools menu, click Internet Options.</li> Click the Advanced tab, click Restore Defaults, and then click OK.</li></ol>

Method 4: Create a new default profile for standard user accounts
You may have an environment in which one or more of the following conditions are true:
 * You want to turn off Internet Explorer Enhanced Security Configuration for all users.
 * You use application publishing for Internet Explorer. In this scenario, no shell is available in which to load a user's profile. Therefore, the .DEFAULT registry subkey is used for the user profile information.
 * You use a Citrix-based terminal server, and no local profile exists for a user or for users. In this scenario, the Citrix system uses the .DEFAULT registry subkey for user profile information.

In this scenario, follow these steps: <ol> Create a new user account that has full rights to the Windows desktop. For example, use an account that has administrative credentials.</li> Log on to the terminal server by using this new account, and then turn off Internet Explorer Enhanced Security Configuration by using the &quot;Add or Remove Programs&quot; item in Control Panel.</li> Log off the terminal server.</li> Copy the NTUser.dat file from this new account profile to the Default User profile folder on the terminal server. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

325364 How to create a custom default user profile in the Windows Server 2003 family

Note This action overwrites the existing NTUser.dat file in the Default User profile folder. Therefore, you may want to back up the original NTUser.dat file before you perform this action.</li> Create a Group Policy object to disable or to enable Internet Explorer hardening in the Active Directory directory service. To do this, follow these steps in the &quot;Using Group Policy to Enable or Disable Internet Explorer Enhanced Security Configuration by Setting Preferences with InetESC.adm&quot; section of the Managing Internet Explorer Enhanced Security Configuration white paper. To obtain this white paper, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

The package in which this white paper is contained includes the InetESC.adm file. You can use this file to configure Internet Explorer Enhanced Security Configuration.</li></ol>

<div class="references_section">