In this blog, I am sharing the steps taken to help change the IEHarden setting that may affect users working out of a Terminal Server configuration.
By default, IE Enhanced Security is enabled in Windows and this setting could impact some web applications. In this case scenario, it affected a script from executing for Standard users.
Objective: To change the IEHarden registry key for the users using Group Policy Preferences Registry configuration.
Requirements: Be familiar with GPMC.MSC console and Group Policy Preferences.
STEPS:
- Open your GMPC.MSC console and navigate to User Configuration / Preferences / Windows Settings
- Right Click on the Registry object from the left hand pane and select New> registry Item
- From New Registry Properties, you can fill in the following settings:
- For Hive: HKEY_CURRENT_USER
- For Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- For Value name: IEHarden
- For Value Type: REG_DWORD
- For Value data: 0 OR 00000000
Screenshot:
- Apply and OK to complete this GPP Configuration
NOTE: You may also want to check the following registry keys if this value alone does not help resolved your case scenario. In most cases, this is not needed!
- HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- HEKY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Another way to get the key change is using a batch file, you can easily use the REG.exe to change the settings.
Examples
TO HELP SET THE IEHARDEN VALUE TO 0
ECHO OFF
REM IEHarden Removal For Users
REM HasVersionInfo: Yes
REM Author: Axelr
REM Productname: Remove IE Enhanced Security for users
REM Comments: Helps remove the IE Enhanced Security Component of Windows 2003 and 2008(including R2)
REM IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
::Disables IE Harden for user if set to 1 which is enabled
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
TO COMPLETELY DELETE THE KEY USING A BATCH FILE:
ECHO OFF
REM IEHarden Removal For Users
REM HasVersionInfo: Yes
REM Author: Axelr
REM Productname: Remove IE Enhanced Security for users
REM Comments: Helps remove the IE Enhanced Security Component of Windows 2003 and 2008(including R2)
REM IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
:: Deletes the IE Harden for users
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
REG DELETE "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
HOW DO I KNOW THE GPO IS WORKING?
- The best way to validate the gpo is working is to become familiar with the registry location being affected by this setting. So, simply navigate to the HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap and verify the IEHarden entry exist with REG_DWORD value set to 0 for the logon user account.
Other Related Blog Post:
- How to troubleshoot IE Enhanced Security warning "Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration" ?
- How to disable IE Enhanced Security on Windows 2003 & Windows 2008 Server silently?
This blog has been provided to you by the IE Support team!