How to manage the IEHarden Setting for users using Group Policy Preferences(GPP)?

In this blog, I am sharing the steps taken to help change the IEHarden setting that may affect users working out of a Terminal Server configuration.

By default, IE Enhanced Security is enabled in Windows and this setting could impact some web applications. In this case scenario, it affected a script from executing for Standard users.

Other scenarios, the user cannot see the items in the trusted site zone settings.

 

Objective: To change the IEHarden registry key for the users using Group Policy Preferences Registry configuration.

Requirements: Be familiar with GPMC.MSC console and Group Policy Preferences.

Applies To: Windows 2000, Windows 2003, Windows 2008, Windows 2012 Servers running Terminal server configuration. Including R2 versions.

Scenarios:

• You are working out of a Terminal Server
• Your Trusted Sites Zone settings may be gray out and unable to see the entries
• You are using Site To Zone Assignment list and appears not to be working
• Zone GPO not showing in Local Intranet Zone or Trusted Site

STEPS:

• Open your GMPC.MSC console and navigate to User Configuration / Preferences / Windows Settings
• Right Click on the Registry object from the left hand pane and select New > registry Item

• From New Registry Properties, you can fill in the following settings:
  • For Hive: HKEY_CURRENT_USER
  • For Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • For Value name: IEHarden
  • For Value Type: REG_DWORD
  • For Value data: 0 OR 00000000

Screenshot:

• Apply and OK to complete this GPP Configuration

 

NOTE: You may also want to check the following registry keys if this value alone does not help resolved your case scenario. In most cases, this is not needed!

• HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
• HEKY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

 

Another way to get the key change is using a batch file, you can easily use the REG.exe to change the settings.

Examples

TO HELP SET THE IEHARDEN VALUE TO 0

ECHO OFF
REM IEHarden Removal For Users
REM HasVersionInfo: Yes
REM Author: Axelr
REM Productname: Remove IE Enhanced Security for users
REM Comments: Helps remove the IE Enhanced Security Component of Windows 2003, Windows 2008, Windows 2012 running terminal server configuration
REM IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::https://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

::Disables IE Harden for user if set to 1 which is enabled
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f

TO COMPLETELY DELETE THE KEY USING A BATCH FILE:

ECHO OFF
REM IEHarden Removal For Users
REM HasVersionInfo: Yes
REM Author: Axelr
REM Productname: Remove IE Enhanced Security for users
REM Comments: Helps remove the IE Enhanced Security Component of Windows 2003, Windows 2008, Windows 2012 running terminal server configuration
REM IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::https://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

:: Deletes the IE Harden for users
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
REG DELETE "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f

 

HOW DO I KNOW THE GPO IS WORKING?

• The best way to validate the gpo is working is to become familiar with the registry location being affected by this setting. So, simply navigate to the HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap and verify the IEHarden entry exist with REG_DWORD value set to 0 for the logon user account.

Other Related Blog Post:

• How to troubleshoot IE Enhanced Security warning "Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration" ?
  • https://blogs.msdn.com/b/askie/archive/2012/09/11/disable-ie-enhanced-security-does-not-work-in-windows-2003-and-2008-remote-desktop-services-terminal-services-host.aspx
• How to disable IE Enhanced Security on Windows 2003 & Windows 2008 Server silently?
  • https://blogs.msdn.com/b/askie/archive/2009/06/23/how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx

This blog has been provided to you by the IE Support team!

Comments

• Anonymous
  March 24, 2016
  The comment has been removed
  • Anonymous
    March 24, 2016
    Internet Explorer, IE ESC, IEharden is set to 0, IE ESC will not disable, Terminal server, RDS, RDP, RDBC, AWS