see Manage add-ons in Internet Explorer 11.”
Preferences > Windows Settings.
In the navigation pane, right-click the Registry object, and then select New > Registry Item.
In IEHarden Properties, specify the following settings:
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Value name: IEHarden
Value Type: REG_DWORD
Value data: 0 or 00000000
Select Apply and OK to complete this GPP configuration.
Note
You may also want to check the following registry subkeys if this value does not resolve the problem. In most cases, this is not necessary.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Internet Explorer doesn’t seem to work after you disable ESC by using Server Manager
To troubleshoot this scenario, refer to Standard users can’t turn off Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server or a later version. Basically, you may have to enable or disable ESC again. Targeting the registry may be the easiest way to resolve this problem.” title=”FAQs about Enhanced Security Configuration | Microsoft Docs
Skip to main content
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
07/14/2020
In this article
Internet Explorer Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration (ESC) establishes security settings that define how users browse the internet and intranet websites. These settings also reduce the exposure of servers to websites that might present a security risk. This process is also known as IEHarden. For more information, see Internet Explorer: Enhanced Security Configuration.
Original product version: Internet Explorer
Original KB number: 4551931
The default setting for Internet Explorer ESC
This feature is enabled by default on servers.
The effects of enabling Internet Explorer ESC
Internet Explorer ESC adjusts the Internet Explorer extensibility and security settings to reduce exposure to possible future security threats. These settings are on the Advanced tab of Internet Options in Control Panel. The following table describes the settings.
Feature
Entry
Setting
Result
Browsing
Display Enhanced Security Configuration dialog box.
On
Displays a dialog box to notify you when an internet site tries to use scripting or ActiveX Controls.
Enable Browser Extensions.
Off
Disables features that you installed for use together with Internet Explorer that are created by companies other than Microsoft.
Enable Install on Demand (Internet Explorer).
Disables installing Internet Explorer components on demand, if required by a webpage.
Enable Install on Demand (Other).
Disables installing web components on demand, if required by a webpage.
Microsoft VM
Just-in-time (JIT) compiler for virtual machine enabled (requires restart).
Disables the Microsoft VM compiler.
Multimedia
Do not display online content in the media bar.
Disables playback of media content in the Internet Explorer media bar.
Play animations in webpages.
Disables animations.
Play videos in webpages.
Disables video clips.
Security
Check for server certificate revocation (requires restart).
Automatically checks a website’s certificate to see whether the certificate has been revoked before accepting the certificate as valid.
Check for signatures on downloaded programs.
Automatically verifies and displays the identity of programs that you download.
Do not save encrypted pages to disk.
Disables saving secured information in your Temporary Internet Files folder.
Empty Temporary Internet Files folder when browser is closed.
Automatically clears the Temporary Internet Files folder when you close the browser.
These changes reduce the functionality in webpages, web-based applications, local network resources, and applications that use a browser to display online help, support, and general user assistance.
How to turn off Internet Explorer ESC on Windows servers
To turn off Internet Explorer ESC, follow these steps:
Enter Server Manager in Windows search to start Server manager application.
Select Local Server.
Navigate to the IE Enhanced Security Configuration property, select the current setting to open the property page, select the Off option button for the desired users, and then select OK.
Select the Refresh icon on the Server Manager toolbar to see the new settings reflected in the server manager.
The following video demonstrates this procedure:
For more information, see Manage the Local Server and the Server Manager Console.
How to disable Internet Explorer ESC by using a script
Create an file with the following batch file content.
Run the bat file either at an administrative command prompt or as part of log-in script by using the procedure that is documented at How to assign user logon scripts.
Contents of the batch file
ECHO OFF
REM IEHarden Removal Project
REM HasVersionInfo: Yes
REM Author: Axelr
REM Productname: Remove IE Enhanced Security
REM Comments: Helps remove the IE Enhanced Security Component of Windows 2003 and 2008(including R2)
REM IEHarden Removal Project End
ECHO ON::Related Article::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server:::: Rem out if you like to Backup the registry keys::REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” ” stalled “::REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” ” stalled ”
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f::x64
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f::Disables IE Harden for user if set to 1 which is enabled
REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
REG ADD “HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f::Removing line below as it is not needed for Windows 2003 scenarios. You may need to enable it for Windows 2008 scenarios::Rundll32, IEHardenLMSettings
Rundll32, IEHardenUser
Rundll32, IEHardenAdmin
Rundll32, IEHardenMachineNow::This apply to Windows 2003 Servers
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents” /v “iehardenadmin” /f /va
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents” /v “iehardenuser” /f /va
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents” /v “iehardenadmin” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents” /v “iehardenuser” /t REG_DWORD /d 0 /f::REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /f /va::REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /f /va:: Optional to remove warning on first IE Run and set home page to blank. remove the:: from lines below:: 32-bit HKCU Keys
REG DELETE “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main” /v “First Home Page” /f
REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main” /v “Default_Page_URL” /t REG_SZ /d “about:blank” /f
REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main” /v “Start Page” /t REG_SZ /d “about:blank” /f:: This will disable a warning the user may get regarding Protected Mode being disable for intranet, which is the default. :: See article:: Intranet Protected mode is disable. Warning should not appear and this key will disable the warning
REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main” /v “NoProtectedModeBanner” /t REG_DWORD /d 1 /f:: Removing Terminal Server Shadowing x86 32bit
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f:: Removing Terminal Server Shadowing Wow6432Node
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f
How to manage the IEHarden Setting for users by using Group Policy Preferences (GPP)
To change the IEHarden setting for users by using Group Policy Preferences Registry configuration, follow these steps:
Open the console, and then navigate to User Configuration > Preferences > Windows Settings.
In the navigation pane, right-click the Registry object, and then select New > Registry Item.
In IEHarden Properties, specify the following settings:
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Value name: IEHarden
Value Type: REG_DWORD
Value data: 0 or 00000000
Select Apply and OK to complete this GPP configuration.
Note
You may also want to check the following registry subkeys if this value does not resolve the problem. In most cases, this is not necessary.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Internet Explorer doesn’t seem to work after you disable ESC by using Server Manager
To troubleshoot this scenario, refer to Standard users can’t turn off Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server or a later version. Basically, you may have to enable or disable ESC again. Targeting the registry may be the easiest way to resolve this problem.” />
FAQs about Enhanced Security Configuration | Microsoft Docs
Skip to main content
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
07/14/2020
In this article
Internet Explorer Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration (ESC) establishes security settings that define how users browse the internet and intranet websites. These settings also reduce the exposure of servers to websites that might present a security risk. This process is also known as IEHarden. For more information, see Internet Explorer: Enhanced Security Configuration.
Original product version: Internet Explorer
Original KB number: 4551931
The default setting for Internet Explorer ESC
This feature is enabled by default on servers.
The effects of enabling Internet Explorer ESC
Internet Explorer ESC adjusts the Internet Explorer extensibility and security settings to reduce exposure to possible future security threats. These settings are on the Advanced tab of Internet Options in Control Panel. The following table describes the settings.
Feature
Entry
Setting
Result
Browsing
Display Enhanced Security Configuration dialog box.
On
Displays a dialog box to notify you when an internet site tries to use scripting or ActiveX Controls.
Enable Browser Extensions.
Off
Disables features that you installed for use together with Internet Explorer that are created by companies other than Microsoft.
Enable Install on Demand (Internet Explorer).
Disables installing Internet Explorer components on demand, if required by a webpage.
Enable Install on Demand (Other).
Disables installing web components on demand, if required by a webpage.
Microsoft VM
Just-in-time (JIT) compiler for virtual machine enabled (requires restart).
Disables the Microsoft VM compiler.
Multimedia
Do not display online content in the media bar.
Disables playback of media content in the Internet Explorer media bar.
Play animations in webpages.
Disables animations.
Play videos in webpages.
Disables video clips.
Security
Check for server certificate revocation (requires restart).
Automatically checks a website’s certificate to see whether the certificate has been revoked before accepting the certificate as valid.
Check for signatures on downloaded programs.
Automatically verifies and displays the identity of programs that you download.
Do not save encrypted pages to disk.
Disables saving secured information in your Temporary Internet Files folder.
Empty Temporary Internet Files folder when browser is closed.
Automatically clears the Temporary Internet Files folder when you close the browser.
These changes reduce the functionality in webpages, web-based applications, local network resources, and applications that use a browser to display online help, support, and general user assistance.
How to turn off Internet Explorer ESC on Windows servers
To turn off Internet Explorer ESC, follow these steps:
Enter Server Manager in Windows search to start Server manager application.
Select Local Server.
Navigate to the IE Enhanced Security Configuration property, select the current setting to open the property page, select the Off option button for the desired users, and then select OK.
Select the Refresh icon on the Server Manager toolbar to see the new settings reflected in the server manager.
The following video demonstrates this procedure:
For more information, see Manage the Local Server and the Server Manager Console.
How to disable Internet Explorer ESC by using a script
Create an file with the following batch file content.
Run the bat file either at an administrative command prompt or as part of log-in script by using the procedure that is documented at How to assign user logon scripts.
Contents of the batch file
ECHO OFF
REM IEHarden Removal Project
REM HasVersionInfo: Yes
REM Author: Axelr
REM Productname: Remove IE Enhanced Security
REM Comments: Helps remove the IE Enhanced Security Component of Windows 2003 and 2008(including R2)
REM IEHarden Removal Project End
ECHO ON::Related Article::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server:::: Rem out if you like to Backup the registry keys::REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” ” stalled “::REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” ” stalled ”
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f::x64
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f::Disables IE Harden for user if set to 1 which is enabled
REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
REG ADD “HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f::Removing line below as it is not needed for Windows 2003 scenarios. You may need to enable it for Windows 2008 scenarios::Rundll32, IEHardenLMSettings
Rundll32, IEHardenUser
Rundll32, IEHardenAdmin
Rundll32, IEHardenMachineNow::This apply to Windows 2003 Servers
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents” /v “iehardenadmin” /f /va
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents” /v “iehardenuser” /f /va
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents” /v “iehardenadmin” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents” /v “iehardenuser” /t REG_DWORD /d 0 /f::REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /f /va::REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /f /va:: Optional to remove warning on first IE Run and set home page to blank. remove the:: from lines below:: 32-bit HKCU Keys
REG DELETE “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main” /v “First Home Page” /f
REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main” /v “Default_Page_URL” /t REG_SZ /d “about:blank” /f
REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main” /v “Start Page” /t REG_SZ /d “about:blank” /f:: This will disable a warning the user may get regarding Protected Mode being disable for intranet, which is the default. :: See article:: Intranet Protected mode is disable. Warning should not appear and this key will disable the warning
REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main” /v “NoProtectedModeBanner” /t REG_DWORD /d 1 /f:: Removing Terminal Server Shadowing x86 32bit
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f:: Removing Terminal Server Shadowing Wow6432Node
REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f
How to manage the IEHarden Setting for users by using Group Policy Preferences (GPP)
To change the IEHarden setting for users by using Group Policy Preferences Registry configuration, follow these steps:
Open the console, and then navigate to User Configuration > Preferences > Windows Settings.
In the navigation pane, right-click the Registry object, and then select New > Registry Item.
In IEHarden Properties, specify the following settings:
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Value name: IEHarden
Value Type: REG_DWORD
Value data: 0 or 00000000
Select Apply and OK to complete this GPP configuration.
Note
You may also want to check the following registry subkeys if this value does not resolve the problem. In most cases, this is not necessary.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Internet Explorer doesn’t seem to work after you disable ESC by using Server Manager
To troubleshoot this scenario, refer to Standard users can’t turn off Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server or a later version. Basically, you may have to enable or disable ESC again. Targeting the registry may be the easiest way to resolve this problem.
internet explorer advanced settings registry,internet explorer settings,internet explorer enhanced security configuration server 2019,group policy internet explorer 11,internet options settings,turn off internet explorer enhanced security configuration server 2016,reset internet explorer settings windows 10,how to reset internet explorer settings
Advanced to the default setting.
“Reset Internet Explorer settings” will return even more options to the default setting, but will also delete History, Temporary Internet Files, Cookies and stored passwords.
What a reset of IE settings will do:
Windows Vista Help- Reset Internet Explorer settings:
Don
15 people found this reply helpful
·
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
Thanks for your feedback.” alt=”What does Restore advanced settings in Internet Explorer do?” title=”What does Restore advanced settings in Internet Explorer do?” />
What does Restore advanced settings in Internet Explorer do?
“Restore advanced settings” will return settings in Internet Options> Advanced to the default setting. “Reset Internet Explorer settings” will return even more options to the default setting , but will also delete History, Temporary Internet Files, Cookies and stored passwords.Jan 19, 2013
What is advanced to enable in Internet options?
Choose Tools > Internet Options. Select the Security tab. In Security settings, select Miscellaneous > set “Launching Programs and files in an IFRAME” to prompt or enable. Enable is recommended.