For many admins, Internet Explorer Enhanced Security Configuration (IE ESC) is a mystery. What is it actually for? For enhancing the security of Internet Explorer? Nobody seriously believes that. The accurate name for this “feature” would be “Internet Explorer Limited Usability.” If IE ESC is enabled, Internet Explorer is essentially disabled because you can no longer use it in a reasonable way.

Michael Pietroforte

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in IT management and system administration.

If you try to open Microsoft.com in Internet Explorer on Windows Server 2012, you have to click 18 times (I counted) until IE ESC believes that the site of Internet Explorer’s maker is secure. If you then click a link, the click orgy starts all over again. I doubt that anybody is using Internet Explorer in this way. I suppose it is the best way to get arthritis in your forefinger.

Internet Explorer - Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration

Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration

Yes, if you work with the zone feature in Internet Explorer, you can at least work with Internet Explorer to access corporate websites. However, it’s only the large organizations that really benefit from this feature.

Don’t get me wrong. Using Internet Explorer on a server is indeed a severe security risk. Thus, it would make sense if one could completely uninstall Internet Explorer. There are political reasons for why this isn’t possible.

The history of Internet Explorer Enhanced Security ^

You might remember that, a while back, some Internet activists were very angry at Microsoft because Microsoft annihilated an ambitious company called Netscape (who, in turn, dared to threaten to destroy Microsoft with its tiny HTML file viewer). The activists managed to persuade some influential politicians that votes can be won by bashing this big and evil company in Redmond that endangers the “free” Internet (whatever that was). This somehow forced Bill Gates and other high-ranking Microsoft managers to testify in court that removing Internet Explorer would cause malfunctions in Windows.

When it became obvious that using a web browser on a server is not really such a good idea, Microsoft faced a dilemma. Of course, it is impossible to admit now that Windows without Internet Explorer is doable. Microsoft’s engineers had to therefore think of a way to remove Internet Explorer without actually removing it. We call the fruits of this tinkering “Internet Explorer Enhanced Security,” and it is the reason why millions of Windows Server admins are in danger of getting forefinger arthritis.

How to avoid forefinger arthritis ^

So what can you do if you want to keep the agility of your forefinger?

1. Don’t use a web browser on a server.

Do you really need a web browser on a server? If Microsoft’s engineers believe it is worth annoying millions of admins with Internet Enhanced Security Configuration, they must have a good reason. All your firewalls, malware, and intrusion detection systems are relatively useless if you invite the bad guys to your network by using a web browser with admin privileges on a server. You are sure you need the browser on your server? Read on.

2. Use a (relatively) secure web browser.

There is no such thing as a secure web browser. However, you can use a web browser that is more secure than Internet Explorer. I know of only two browsers for Windows that deserve this title: Lynx and Opera. I suppose the somewhat limited capabilities of Lynx will make Opera your first choice. It is a good choice because almost no one uses this browser; therefore, the bad guys don’t bother to dig for its security holes. Don’t even think of installing Firefox or Chrome on a server. The security you gain this way is exactly NIL because the market share of these browsers is now comparable to that of Internet Explorer, and the Mozilla and Google developers certainly don’t know more about browser security than Microsoft’s programmers.

3. Disable Internet Explorer Enhanced Security Configuration.

You can disable IE ESC, probably because Microsoft’s lawyers are afraid that in a few years they will get swamped by lawsuits by former admins who got severe forefinger arthritis. There are a few situations where it makes sense to turn off IE ESC—for instance, on a Terminal Server where end users (with standard user rights) need a browser. It is also the first thing I do on a freshly installed test server that runs in a virtual and isolated lab environment. This allows me to download tools I want to test or use web-based admin interfaces on the server. And, of course, the number one reason is that you probably think that you are an admin who knows what you are doing and only surfs to sites that you trust not to load code from sites that you don’t trust. There are various ways to disable IE ESC.

Caution Internet Explorer Enhanced Security Configuration is not enabled

Caution Internet Explorer Enhanced Security Configuration is not enabled

Server Manager / Control Panel ^

This is the option you use if you only want to disable IE ESC on a single server. We have descriptions for Windows Server 2008 R2 and Windows Server 2012 on 4sysops.

In Windows Server 2003, you can disable IE ESC in the Control Panel through the Add or Remove Programs applet with the Add/Remove Windows Components function. You can do this either for administrator groups or for all other user groups.

PowerShell ^

If you need to turn off IE ESC on multiple servers, you can do so faster by using a PowerShell script. No PowerShell cmdlet exists for this task; however, since you can disable IE ESC in the Registry, it is not a big deal to leverage PowerShell for the task. Don’t worry, this doesn’t involve a lot of type-type. We have already done the work for you.

Group Policy ^

A major downside of using PowerShell for automation tasks is that computers that are offline don’t receive the settings. Thus, if you need to disable IE ESC on a large number of servers, I recommend Microsoft’s fabulous automation GUI tool Group Policy. This is the topic of my next post.

Disable the IE ESC dialog box. ^

I like this option because it allows you to disable the Internet Explorer Enhanced Security Configuration warning dialog box without actually disabling IE ESC. I will cover this option in the last post of this series.

Win the monthly 4sysops member prize for IT pros

Share
0

3 Comments
  1. Stephen Schuler 1 year ago

    As a note, for IIS there are now some add-ons that are very difficult to install without using the Web Platform Installer. This is essentially just a browser-based app (based on IE), and so you need browsability to use WPI. And you run smack into IESC.

    0

  2. HOWARD Story 1 year ago

    You are so correct Stephen.   And you run right into this on a Terminal Server that has it disable, when you add a new user.   ESC is turned on and you have to reset IE then not accept the defaults so that the app will run correctly.   I have not found away to just simply turn is off.   When I check it says that it is already off.    Guess one day I will run a diff on the registry and figure out what changes between the settings.

    0

  3. Alan 4 months ago

    In GPO Management, within your selected GPO, navigate to “Computer Configuration“, “Preferences“, “Windows Settings“, “Registry”. Use the following settings for Admins:
    Action: Update
    Properties: Hive HKEY_LOCAL_MACHINE
    Key path SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
    Value name IsInstalled
    Value type REG_DWORD
    Value data 0x0 (0)

    In GPO Management, within your selected GPO, navigate to “Computer Configuration“, “Preferences“, “Windows Settings“, “Registry”. Use the following settings for Users:
    Action: Update
    Properties: Hive HKEY_LOCAL_MACHINE
    Key path SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
    Value name IsInstalled
    Value type REG_DWORD
    Value data 0x0 (0)

    That should solve your problem.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account